Microsoft Lightens Up: Windows 7 UAC Security Issue Will Be Addressed

There has been much discussion and little done to resolve a discovered security flaw within Windows 7's UAC setting. It is apparent that Windows 7 was suspected as being less secure than Windows Vista when it comes to the UAC setting. The User Account Control was first introduced in Windows Vista which limits application software to normal user privileges until an administrator is able to authorize access or an increase in the privilege level. If you run Windows Vista then you may be familiar of the extra level of protection when installing an application where the screen dims and you are asked to proceed or give permission for a program to carry out a certain function.

How was this security flaw discovered?

New findings by Windows enthusiasts, Long Zheng and Rafael Rivera, revealed a situation within Windows 7 where the default setting is too lenient and may pose a serious security risk vs. the default UAC setting of Windows Vista. This would make Windows 7 no longer seem like the anti-Vista but rather a step backwards when it comes to security.

What it may have come down to is a goof by Microsoft when they first believed that the default UAC security setting in Windows 7 was just fine as it was. Before this it may have been clear that Microsoft was not going to listen to others comments or input on this situation but now it there has been a change of heart. Maybe this is because of Windows 7 Beta release being available to millions of people and many "experts" or bloggers having something to say about the current UAC setting.

Long Zheng and Rafael Rivera have simply brought to everyone's attention a security flaw that needs to be addressed within the Windows 7 UAC. It should not be rocket science to fix a flaw when a Windows enthusiast finds fault of a feature within the Windows operating system in Beta form. Simply the developers should review the situation and address it. With Microsoft it was like pulling teeth because they initially did not want to make any changes.

UAC (User Account Control) is an added level of security first implemented in Windows Vista. If this level of security is somewhat changed to a lower level then think of the backlash that may occur when Windows 7 is compared directly to Windows Vista. Many people have not made the switch over to Windows Vista from XP as of yet in hopes that Windows 7 offers something worth spending the extra money and time for something better and more secure.

What will Microsoft do NOW that this is a heavily discussed and dissected issue with Windows 7?

A change will be made to the UAC to address the security flaw. Steven Sinofsky, Windows Engineering Chief, and Jon DeVaan, Senior Vice President of Microsoft's Core Operating System, explained on the MSDN Blog:

"With this (user) feedback and a lot more we are going to deliver two changes to the (Windows 7) Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

"That sums up where we are heading. The first change was a bug fix and we actually have a couple of others similar to that. This is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we're seeing. This 'inconsistency' in the model is exactly the path we're taking. The way we're going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password."

With all of the verbiage that was said above do you think the input given by Long Zheng and Rafael Rivera was the only hope in Microsoft changing the UAC setting? Do you think you will make the switch to Windows 7?