It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.

Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:

And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!

However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different:
And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.

So, basically to give you my view:

• We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings
• We do what the prompt tells you we are doing

In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.

BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista

Roger

I have to come back to the UAC problem again. I just read a good article from Larry Seltzer on eWeek.com:

Both Sides of the Win7 UAC Problem

I think it is one of the first one I read, which takes the emotions out of the discussion and tries to understand the real problem. He made actually an interesting comment: The whole issue is around running malware to change the UAC settings and he says:

The technique could be used for far worse things. Control panel has many important system-wide settings in it. You can set user passwords, uninstall software, disable the firewall, and so on. All of this is possible because of the default UAC setting, and you don't have to change that setting to "exploit" it.

So, let’s think about it: A lot of people wanted us to reduce the number of UAC prompts. We published a fairly good article October last year about User Account control and what we learned.

Now, let me get it straight (after all the pretty emotional comments I got on my last post): I definitely understand your view and your argumentation. What we need – however – is a balanced discussion about what makes sense and what does not.

All the discussions are assuming that the user is administrator on the machine – let’s keep that in mind. Is UAC really the only thing you are concerned about? I think it should be consistent throughout the Windows settings (including UAC) – protecting UAC alone probably does not cover the attack vectors you are mentioning. As an example: I can open the Device Manager without prompt. I can change all Windows Settings without a prompt (including all the security settings). This is what the UAC setting is for. From a Risk Management perspective: What would it really change if we would ask for a prompt if you change the UAC setting? So, the malware we are looking at could now not change the UAC settings but all the other Windows settings (if you are an Admin). How much would this really lower the risks – or would it reduce the risk at all?

So, should we change the default to “High” – which would mean that we are on the similar level as in Windows Vista, where we got a lot of complains?

In my opinion we all should do two things:

1. Take the emotions out of the discussion
2. Look at the broad picture from a risk management perspective

And one final thing: Yes, we are listening to you (otherwise I would not have allowed comments, have answered some of the comments and am now writing the second post) and the reason for publishing Beta versions is to have these discussions now, where changes are still possible rather than after the release. So, let’s have this discussion taking the points above in consideration.

Roger

P.S. Read Jon DeVaan's post on this issue

Not directly security related: I am often asked about the interoperability between our products and third-party products. Additionally people claim that we do not allow others to use our technology – that we lock you in.

Just now I read the following news:

Google just announced Google Sync, which licenses our Active Sync technology. As Horacio Gutierrez our Deputy General Counsel and VP for Intellectual Property & Licensing puts it: Google’s licensing of these Microsoft patents relating to the Microsoft Exchange ActiveSync protocol is a clear acknowledgement of the innovation taking place at Microsoft.  This agreement is also a great example of Microsoft’ s openness to generally license our patents under fair and reasonable terms so long as licensees respect Microsoft intellectual property.  This open approach has been part of Microsoft’s IP licensing policy since 2003 and has resulted in over 500 licensing agreements of the last five years.

They base that on the Exchange ActiveSync IP Licensing Program.

So, I would look forward for our competitors to do similar things and allow interop between their products and other vendors like us

Roger

A few days ago, we released the Security Compliance Management Toolkit. I think that this toolkit might definitely help you to secure your environment and monitor it against a security baseline

Security Compliance Management Toolkit Series

Roger

I just want to make sure you have seen it:

• There were some reports in the last day or two about targeted attacks on Excel. We are aware of these reports and are looking into this. In order to give you our assessment of the situation, we published Microsoft Security Advisory (968272)
• From what we know so far, an attacker who could exploit this vulnerability could get the privileges of the logged on user. So, if you are not Admin, this would lower the risk.
• This attack goes after the binary version of Excel files. So, if you are saving the file with the Office 2007 format (.xlsx) the attack does not work.
• You should definitely look into the workarounds mentioned in the Advisory.
• The second advisory is about an update for Windows AutoRun (Microsoft Security Advisory (967940))

Roger