Win7’s UAC Creates Security Hole?

There’s been a lot of speculation about whether the User Account Control widget in Windows 7 creates a security hole or not.  IDG News Service reported on 31-Jan-09 that it did.

The UAC in Vista is an all or nothing thing, and quite honestly, it “brings you to a sad, sad realization. (Confirm or Deny)”  Most everyone that I know of, has simply turned the bloody thing off. Its really nothing more than a nuisance.  I’m all for “are you sure” dialogs at the appropriate time; but the UAC in Vista goes way over board.

UAC

In Windows 7, Microsoft took a different approach.  The UAC provides the user with a few different settings that gives them better control over the tool. The UAC was originally intended to give users more control over their applications and settings, and prevent users without admin credentials from making material changes to the configuration and makeup of the PC.

Because of the way its implemented in Vista, it sometimes gets in even an admin’s way. As I mentioned, in Widnows 7, things are a bit different.  Now, the UAC can be configured to only notify users when programs make changes to the computer.  The tool can now distinguish between the activities of a user and a 3rd party program; and when certain conditions apply (with the application of a signed security certificate, for example) the UAC won’t bother you.

Recently, it was discovered that the use of some basic VBScript could create an application that could make changes to the UAC without notifying the user.  This, basically would allow the execution of malicious code without the user knowing it, hence the security hole. 

Since IDG originally published this report, I’ve seen a rebuttal from MS that claims this is not the case.  I’m still not 100% convinced, but you can bet your bippy that I am going to keep my ear close to the ground on this one and will report back on this when I have further information.

1 Comment on Win7’s UAC Creates Security Hole?

  1. where’s the link to the rebuttal?

%d bloggers like this: