A researcher has discovered a problem in the User Account Control of the beta version of Windows 7.
Security researcher Long Zheng has shown how an attacker could bypass the User Account Control (UAC), although he’s also shown how it can be remedied quite simply.
The UAC has been troublesome to Vista users’, as it notifies the user every time a program tries to alter the system. Many vista users’ disabled the UAC because of its frequent dialog boxes. In Windows 7, though, Microsoft has granted new rules that allow changes to Windows settings without notification, although other alterations still requite notifying the user.
The graphical interfaces system of Windows 7 RC contains old codes from Windows 3.1 where security is not considered when developed. When Microsoft optimizes the graphical interfaces of Windows 7, the incompatibility with old codes leads the system to blue screen.
Attackers will be able to firstly invade the System server of certain object to launch the attack, or to make a potential opportunity for a second attack. Thus, the security hole is a greater threat for the firm and government customers who’re using Windows 7 RC.
Microsoft however, have insisted that “the functionality is ‘by design’, dismisses the security concerns and again leans towards they will not be addressing the issue for the final release of Windows 7.
Microsoft’s Jon DeVaan has posted a response on the official Windows 7 blog with an extensive look at the UAC system in Windows 7 and their decision on the default security policy. In conclusion, they continue to stand by their decision and does not indicate they will change the default UAC policy.