Posted by: reformedmusings | February 7, 2009

UAC security hole confirmed in Windows 7 beta

Vindication! I posted in my earlier look at Windows 7 User Account Controls, the UAC could easily be bypassed by a key-press generating routine because, unlike Linux, Windows 7 doesn’t require your password to reauthenticate each system change. I’m sure that Microsoft devotees scoffed at that assessment. Well, Microsoft now admits that assessment was indeed accurate.

At first, Microsoft claimed that this ability to bypass was a “feature” for user convenience. That didn’t last long, though, as the outcry from testers could be heard in Antactica. That “feature” would make Windows 7 even less secure than Vista. So now, Microsoft is thanking users for their suggestions and promising that the release candidate will incorporate the fix. However, if they don’t require proper password authentification to disable the UAC or make system changes, Windows 7 security will still be beat.

Why do I say that? Because the bulk of Microsoft’s effort, as they openly defend on their blogs, is in keeping bad stuff off of you computer in the first place. If it can’t get on, they say, it can’t hurt you. But hasn’t that been the goal since the beginning? Are they better at it now than in years past? Sure, but they aren’t perfect. If your only defense is the front door, then either someone will leave it unlocked, unlock it in a social engineering attack, or an intruder will kick it in. That’s just a fact of life. Remember the Maginot Line? Apparently Microsoft doesn’t.

Don’t let their ignorance of history leave your private data vulnerable.

Advertisements

Responses

  1. […] the workings of the UAC in an earlier post, and covered what I considered a major hole which was verified here. Microsoft says that they fixed it to some extent, but I don’t have time to check it at the […]

  2. […] Well, I’ve been writing that without requiring a password to make system changes here and here, Windows 7’s User Account Control (UAC) can be bypassed. The situation is even worse than […]

  3. […] to remain true in the final release, even though Microsoft claimed that they would fix the issues as I noted in this post. And don’t forget that you’re paying dearly for the privilege of testing these […]


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: