Microsoft responds to Windows 7 security gripe

By

Microsoft has responded to public criticism of its User Account Control (UAC) system, and has confirmed that it will not classify the reported issue as a security vulnerability.

Microsoft has responded to public criticism of its User Account Control (UAC) system, and has confirmed that it will not classify the reported issue as a security vulnerability.

Microsoft responds to Windows 7 security gripe

"The intent of the default configuration of UAC is that users do not get prompted when making changes to Windows settings," a company representative told vnunet.com. "This includes changing the UAC prompting level."

The statements follow a blog posting by researcher Long Zheng, who suggested that the warning features in UAC could be bypassed and even disabled by malicious code.

Microsoft pointed out that an attacker would have to had compromised a system already in order for this to happen.

"The only way this could be changed without the user's knowledge is by malicious code already running on the box," the representative told vnunet.com.

"In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)."

Zheng issued a second blog posting on Saturday addressing Microsoft's statements. "Microsoft's argument is entirely based on the user, which I agree to an extent. They have to download and execute such an application, but this can be a low-privileged application so it would have no warnings whatsoever," he wrote.

"How could a low-privileged application being able to turn off the entire privileged applications security layer not be a security flaw? Let me repeat: a low-privileged application. Some people seems to have missed that."

Microsoft declined to comment on whether Zheng's suggestions would be adopted or ignored, but a spokesperson told vnunet.com: "Microsoft has received feedback on UAC prompting behaviour, and has made changes in accordance with user feedback."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Log In

  |  Forgot your password?