Поделиться через

The Windows 7 UAC “Vulnerability”

  • Статья

It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.

Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:

2009,02,03%20-%20UAC%201[1]

And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!

However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different:
2009,02,03%20-%20UAC%202[1] And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.

So, basically to give you my view:

  • We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings
  • We do what the prompt tells you we are doing

In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.

BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista

Roger

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    February 03, 2009
    The comment has been removed

  • Anonymous
    February 03, 2009
    It's pathetic that MS isn't taking this issue seriously. Just as spike said, this design flaw renders UAC USELESS. Everyone else can see the problem with this. Why can't MS?

  • Anonymous
    February 03, 2009
    The comment has been removed

  • Anonymous
    February 03, 2009
    The comment has been removed

  • Anonymous
    February 03, 2009
    The comment has been removed

  • Anonymous
    February 03, 2009
    To start off with, I zipped up the zipper in Win7 because it felt so weird without the UAC prompts I expected.  Asking for prompts on the zipper is not asking for all the prompts back. The prompts I receive are expected.   What I do hear a lot of complaints about as well is WGA notifications but that feedback appears to not have been acted on. I was afraid that the swing of the pendulum would go too far in response to Vista.  I was right. Some asked for this change.  I did not.

  • Anonymous
    February 03, 2009
    The comment has been removed

  • Anonymous
    February 03, 2009
    The comment has been removed

  • Anonymous
    February 04, 2009
    The comment has been removed

  • Anonymous
    February 04, 2009
    I don't get how this can be so hard. I have not tried Win7 myself but from what I understand, the no prompting only happens for things signed by a special MS Win7 cert, if so, just sign the .cpl that controls UAC with a normal MS cert

  • Anonymous
    February 04, 2009
    UAC prompt should always appear when changes to UAC settings are made. Always. Nobody asked for this kind of behavior.

  • Anonymous
    February 04, 2009
    On the lower (default) setting it should, of course, be possible to change settings without a UAC prompt. That is, after all, the point of the lower setting. HOWEVER, the one setting that shouldn't be changeable is the UAC level. That might not seem "logical" or "consistent", but it's the behaviour people expect. Is it really so hard for anyone working on Windows to get this? I'm beginning to think it is.

  • Anonymous
    February 04, 2009
    I don't know what's so hard about treating the control panel applet responsible for UAC differently from other cpl applets. Microsoft is acting like not-prompting for control panel changes is an all or nothing approach, e.g. they can only make changes that affect all control panel applets. If, to not prompt for control panel applets, you absolutely must do this to every control panel applet, and can't exempt UAC itself from this "no prompt" behavior, then I truly feel Microsoft seriously needs to reexamine their coding practices.

  • Anonymous
    February 04, 2009
    The comment has been removed

  • Anonymous
    February 05, 2009
    The comment has been removed

  • Anonymous
    February 05, 2009
    The comment has been removed

  • Anonymous
    February 05, 2009
    The comment has been removed

  • Anonymous
    February 05, 2009
    The comment has been removed

  • Anonymous
    February 05, 2009
    The comment has been removed

  • Anonymous
    February 06, 2009
    The comment has been removed

  • Anonymous
    March 11, 2010
    I have movavi vidio converter it won,t run with uac on in windows 7 what should I do Art Email asnow04@sbcglobal.net