Yesterday we reported on a major UAC security flaw where malicious hackers could potentially execute a script on a users machine by tricking into them into opening a disguised exe. This script would disable UAC without user interaction and without the users knowledge.
A Microsoft spokesperson has provided Neowin with a response to the issue:
- This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
- Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
- UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
- The only way this could be changed without the user's knowledge is by malicious code already running on the box.
- In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)
93 Comments
Load the comments and join the conversation!
Read the comments, ask the editors questions, show respect and join the conversation.