Linked by Thom Holwerda on Sat 31st Jan 2009 10:45 UTC
Privacy, Security, Encryption Yesterday, we reported on the security flaw in Windows 7's UAC slider dialog, and today, Microsoft has given a response to the situation, but it doesn't seem like the company intends to fix it. "This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level." I hope this reply came from a marketing drone, because if they intend on keeping this behaviour as-is in Windows 7 RTM, they're going to face a serious shitstorm - and rightfully so. Let's hope the Sinfoskies and Larson-Greens at Microsoft rectify this situation as soon as possible.
Thread beginning with comment 346428
To view parent comment, click here.
To read all comments associated with this story, please click here.
bornagainenguin
Member since:
2005-08-07

Thom_Holwerda disputed...

UAC was a success, as the number of applications requiring admin privileges has been drastically reduced. THAT was its intended goal, and it succeeded.


That may have happened as a result, but let's be honest here--it was a nice side effect. For it to have resulted in the changes you suggest would have to mean most users of Windows are running as limited accounts. I don't think anyone wants to pretend that's happened--for the very same reason you point out: 'Everyone' knows installing apps requires admin privileges and so run that way as default.

--bornagainpenguin (who has yet to see a Vista installation in the wild not running with admin privileges)

Reply Parent Score: 2

Thom_Holwerda Member since:
2005-06-29

That may have happened as a result, but let's be honest here--it was a nice side effect.


I think you need a lesson on how UAC works.

UAC is not only effective when you run a LUA; admin accounts are protected as well. Admin users have to click "ok" when something requires elevated permissions, LUAs have to enter the password.

The goal, as clearly stated by Microsoft, was to annoy users so much, that they started demanding that 3rd party developers fix their apps so they don't need admin priveleges anymore.

As the dramatic reduction in the number of applications requiring admin privileges shows - this goal has been achieved.

For it to have resulted in the changes you suggest would have to mean most users of Windows are running as limited accounts. I don't think anyone wants to pretend that's happened--for the very same reason you point out: 'Everyone' knows installing apps requires admin privileges and so run that way as default.


That's the beauty: people running as admin are still protected because unauthorised access will still be picked up. Of course, running as non-admins is preferred, but oh well.

So, your argument falls flat: whether you're on a LUA, or an admin account, you get the same amount of prompts. In other words, the amount of prompts isn't forcing anyone to stick with an admin account.

Reply Parent Score: 2

license_2_blather Member since:
2006-02-05

I haven't used Vista all that much. I have a problem in principle with a version of Windows that is a minor enhancement at most for me (vis-a-vis XP) taking twice or more the resources. But when I've used it, I haven't found UAC all that annoying. The only time I didn't like it was when performing file operations in Windows Explorer that required privileged access. Explorer prompts once, then UAC prompts again. It's a drag if you are creating directories under C:\ or C:\Program Files. But overall UAC wasn't much worse than sudo on *nix to me.

The goal, as clearly stated by Microsoft, was to annoy users so much, that they started demanding that 3rd party developers fix their apps so they don't need admin priveleges anymore.


Wow, if that be the case, that's rich. They don't have enough cojones as a multi-billion-dollar company to apply the pressure on their ISVs themselves? Besides, sometimes those 3rd-party apps are felt to be indispensable, or the vendors don't listen--sort of like with, um, oh yeah, Windows and Office. [I would not often use the term "alacrity" to describe the pace at which Microsoft has addressed user complaints.]

All that said, I'm running non-admin on XP, when I do run XP. With a few tweaks (mostly to allow me to adjust wireless settings, since wireless on XP still sucks), it isn't all that bad, either.

Reply Parent Score: 1