14 DAY TRIAL // Microsoft is thwarting widespread reports of security vulnerabilities in User Account Control in Windows 7 (Beta Build 7000). None other than Jon DeVaan, Senior Vice President, Windows Core Operating System Division, denied the existence of security holes in Windows 7's evolved UAC compared to what had been made available in Windows Vista. DeVaan downplayed the relevance of claims that malware could infect Windows 7 machines even with UAC enabled, because the changes introduced by Microsoft compared to Vista in order to make the feature more user friendly.
“The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent,” DeVaan revealed.
The Windows boss emphasized that the reports of malicious code potentially bypassing UAC are incorrectly associated with the existence of security vulnerabilities, because Microsoft, as well as the sources of the reports, failed to identify a viable avenue of attack. “By any definition that is generally accepted across the world wide security community, the recent feedback does not represent a vulnerability since it does not allow the malicious software to reach the computer in the first place,” DeVaan explained.
Microsoft indeed tweaked the UAC in Windows 7 in order to provide users with additional choice. As far as Vista was concerned, users could only opt to have the UAC enable, and increase the level of OS security at the expense of usability, or disable the feature altogether and gain usability while trading off security. Of course, in order to be as safe as in Windows Vista with UAC enabled, all that the users of Windows 7 have to do is to configure the User Account Control to the highest possible option.
“In Windows 7, we have four settings for the UAC feature: 'Never Notify,' 'Notify me only when programs try to make changes to my computer (without desktop dimming),' 'Notify me only when programs try to make changes to my computer (with desktop dimming),' and 'Always Notify.' In Windows Vista there were only two choices, the equivalent of 'Never Notify' and 'Always Notify.' The Vista UI made it difficult for people to choose 'Never Notify' and thus choosing between extremes in the implementation. Windows 7 offers you more choice and control over this feature, which is particularly interesting to many of you based on the feedback we have received,” DeVaan added.
Windows 7 Beta is available for download here.
Product keys to activate Windows 7 Beta are available here.