High-slider integrity planned for Windows 7 UAC

Microsoft has promised changes to a frustrating Windows security feature inside Windows 7, following reported vulnerabilities and an avalanche of criticism.

The Windows 7 User Account Control (UAC) will feature improved protection, apparently intended to prevent unauthorized access and stop malicious from code piggybacking on approved code in the planned operating system.

Two senior Microsoft executives blogged late Thursday that the UAC control panel "will run in a high integrity process, which requires elevation." That means script running at medium integrity cannot manipulate the UAC panel's slider control, Microsoft told The Register.

Also, any changes made to the slider will prompt a pop-up that asks for user consent, even if your UAC alerts are set to "never notify," the company said.

The alerts and pop-up screens generated by UAC when new codes comes near Windows 7's predecessor, Windows Vista, have proved so frustrating that the internet is now full of advice on ways to hack the panel and turn off UAC.

Windows core operating system division senior vice president Jon DeVaan and senior vice president of the Windows and Windows Live engineering group Steven Sinofsky put their names to the post towards the end of a week that's seen Microsoft grapple with reported vulnerabilities in the UAC in beta versions of Windows 7 code.

For DeVaan, it was his second post on Windows 7's UAC and followed an earlier solo blog post on Microsoft's official IE7 blog that had the opposite effect of soothing jangled nerves on the apparent vulnerabilities.

DeVaan had tried to reassure Windows 7 testers that vulnerabilities exposed in Windows 7's UAC could not be considered "vulnerabilities" because the malicious code had to first install on the PC, and this would require the users' consent.

According to DeVaan, this could not happen and there had been no reported cases of malicious code getting past users.

Far from working, DeVaan's defense IE7 blog drew further heat, inspiring comments such as this from sroussey, which was cited in the DeVaan and Sinofsky effort:

You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one's that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?

Also, there was this from @Thack:

Jon,

Thanks for sharing your thoughts. I understand your points.

Now, I want add my voice to the call for one very simple change:

Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.

That is all we are asking. No other changes. Leave the default level as it is, and keep UAC as it is. We're just talking about the very specific case of CHANGES to the UAC prompting level.

It will NOT be a big nuisance - most people only ever change the UAC level once (if at all).

Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level.

The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument. Somebody WILL get past those other boundaries eventually.

Even if you aren't convinced by my argument, then the PR argument must be a no-brainer for Microsoft.

PLEASE, Jon, it's just a small change that will gain a LOT of user confidence and a LOT of good PR.

Thack

Sinofsky and DeVaan blamed the response to DeVaan's original post on "poor communication." They said the changes were already in the works before this "discussion".

"When we started the 'E7' blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren't sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we've managed to do both," the duo said late Thursday. ®