As soon as the net got wind of the vulnerability in the UAC slider setting dialog in Windows through the work of Long Zheng and Rafael Rivera, the net was filled with complaints and requests to Microsoft to fix this issue. In summary, the issue boils down to this: in Windows 7, there is a slider that allows you to fine-tune UAC. From [Vista-]paranoid-mode, to "off". The problem s that changing this slider did not trigger a UAC dialog. In other words, scripts and malware could easily disable UAC without the user ever noticing anything. The solution was to move the slider all the way up to paranoid mode.Long Zheng contacted Microsoft shortly after, and the company claimed this was by design, and that they wouldn't change it. To further detail this position, Microsoft's Jon DeVaan wrote a lengthy blog post on the Engineering 7 weblog. The company's argument is that in order for the vulnerability to work, malware would already need to be running on the system, and that modern web browser and email clients already present a good enough security barrier. "We know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system," DeVaan writes, "We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines." The comments to this blog post were crystal clear: most accused DeVaan of missing the point. The situation was best summed up by commenter d_e: "Jon, you're missing the point. The people only want to see an UAC notification when the UAC level is changed. That's all. You don't have to change anything else." The call to treat UAC as a speicasl case - always requiring confirmation no matter the account or elevation level - was loud. Microsoft gave in. In a follow up post, DeVaan and Sinofsky write:
posted by Thom Holwerda on Fri 6th Feb 2009 10:36 UTC
You have to hand it to them: Microsoft has made an excellent marketing move the last couple of days. Remember the UAC issue we reported on earlier? It turned out that changing UAC settings did not actually trigger a UAC dialog, allowing scripts and malware to disable UAC altogether without the user ever noticing anything - obviously leaving the system wide open. After stating numerous times the company wouldn't do anything about this issue, they have now done a complete 180, and will fix UAC to work as many had already advised. A brilliant marketing ploy right there.
With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.Basically, they will treat changing UAC settings as changing a password: you always need to enter your old one for that. Great marketing example, this. You cannot say with a straight face that such a massive company made such a 180 in such a short time. This feels rather planned out, and it has been executed wonderfully. Still, that does not negate the fact that this change makes Windows 7 a better and more secure operating system. Marketing ploy or not, people will benefit.