Microsoft Apologises; To Fix Win 7 UAC Flaw

Earlier this week, Tom's Hardware reported that there was an inherent security flaw in the newly renovated User Account Control (UAC) built into the current Windows 7 beta build 7000. Microsoft has listened to the critics and has released details of their fix to address the problem.

At first Microsoft brushed off the issue as "by design," that is, it won't prompt users as much as in Vista which is what it was aiming for. But because the default UAC setting prevents changes to UAC from causing a secure desktop prompt, malicious code can alter the settings and even disable UAC without the user knowing it. Viruses and other malware can then run wild on the system with full administrative rights.

Who makes changes to UAC so often that they will be constantly pummelled with prompts? It wouldn't damage Microsoft's quieter UAC policy too badly to make an exception to the rule in this case for the sake of security. Fortunately, that is what it has now decided to do.

After a negative outcry from the community on their blog post defending the "problem", Microsoft's Jon DeVaan and Steven Sinofsky followed up with another post responding to community feedback.

“Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed. That’s not the dialog we set out to have and we’re going to do our best to improve,” they said.

According to the blog post, two changes will be made to the Release Candidate regarding UAC. Firstly, the UAC control panel will run in a "high integrity" process that requires permissions elevation. The blog states that this first change was already being worked on before this issue came to light. The second change will force prompts for confirmation to changes to UAC settings, which is the "simple" fix that Long Zheng mentioned in his blog when the problem was first publicised.

While it may take a fair amount of persuasion, it's good to see that Microsoft responds to user feedback positively.