Microsoft U-turn on UAC vulnerability

After initially dismissing the discovery that user access control (UAC) could be disabled without the users permission as a "by design" feature, Microsoft's Windows 7 engineering team have now relented and announced changes to come in the release candidate for Windows 7. Previously, in a blog posting from Microsoft's Jon DeVaan, he describes the feedback on the issue as "interesting", but said they do not consider the issue a vulnerability in the strictest sense "because malicious software would already need to be running".

But now, in a new posting the engineering team has announced that they will be incorporating two changes to the Windows 7 release candidate. The first change makes the UAC control panel run in a "high integrity process", a change they say was already in the works. This means that the mechanism used in the original demonstration will not work, as SendKeys will not be able to send keystrokes to the control panel. The second change will make the process of changing the level of UAC always prompt for confirmation. Together, these changes should prevent malicious applications from turning off UAC, once they have gained access to an administrative account.

Long Zheng, who discovered the original flaw, welcomed the changes saying "The result is actually even slightly better than what I had hoped for", as he had originally only sought the latter of the two changes. Zheng does advise that, because these changes will only apply to the, yet to be released Windows 7 release candidate, that "everyone using the Windows 7 Beta should change their UAC setting to “max” to ensure they are safe from either UAC vulnerabilities."

(djwm)