back to article High-slider integrity planned for Windows 7 UAC

Microsoft has promised changes to a frustrating Windows security feature inside Windows 7, following reported vulnerabilities and an avalanche of criticism. The Windows 7 User Account Control (UAC) will feature improved protection, apparently intended to prevent unauthorized access and stop malicious from code piggybacking on …

COMMENTS

This topic is closed for new posts.
  1. Brett Brennan
    Thumb Down

    Off on the wrong foot already

    Microsoft can't afford another Vista debacle. No matter how good, secure, pretty, easy-to-use etc. Windows 7 ends up, the fact that EVERYBODY is looking for a mis-step in the release is really more important to address than the actual features.

    In the case of this UAC "issue", all Microsoft's management needed to do was say "yes, well, you have a possible good point. We'll look into it and give a technical explanation of how we'll address it by the release date."

    Microsoft has to realize by now (and the contrite response at the end of this report show that they DO GET IT) that one more release that has the problems Vista was perceived to have is going to cost them dearly - specifically on the corporate desktop and server. Companies have put up with having large IT staffs who mostly deal with Windows patches, security issues and user screw-ups. The issue for large corporations is that this is becoming the primary cost center for their IT department. Even outsourcing this job to India or China doesn't make it go away, and it doesn't really lower the cost of having systems "go down" for bug fixes and updates - which a problem or patch WILL do regularly in the real world.

    IT department managers are already beginning to realize that their maintenance costs keep going UP not down, and each problem is more expensive than the last. Conficker opened a lot of eyes over the past couple of weeks: the cost of fixing this relatively simple attack has hit home, not because of the attack itself, but discovering that there are about 10-20% of corporate systems that could NOT be patched immediately because of expensive, custom "legacy" applications that need to be moved onto newer OS releases, at a huge rewrite cost. The IT directors are getting hammered for having the infection in their system, and they're getting hammered for needing to take down "core" applications to fix it. And their budgets are going up in smoke just patching the holes in the dike. Then they notice that their {*nix/mainframe/Apple} systems aren't getting hit the same way, that they have 1/5 the staff managing these platforms and the cost isn't bulging up every time a script kiddie discovers a new toy to play with.

    Microsoft absolutely MUST be able to take the message to the world that their product is engineered safe and efficient, and that when the inevitable problem DOES occur that they can fix it quickly without impacting all the old legacy applications running the businesses that buy their product. And it ain't going to require opening another support center ANYWHERE just to have the asses and elbows to rush around 1000 systems and slap patches.

    Redmond's got about six months to get this message done and done right. If Windows 7 has ANY issues even CLOSE to Vista, it'll be "hasta la vista" to Microsoft in the corporate environment within 18 months, and probably in the consumer market just as quickly.

    We'll see how they react.

  2. N

    Please fix the UAC

    I mean, I dont want it to get on my tits asking daft stuff all the time, but I would like to have confidence that it is secure & cannot be tinkered with.

  3. Steve

    Vista

    ahh yes I rem this UAC in Vista.

    Had my shiny new laptop in Sept last year.

    Had a play with Vista.. Got hacked off with the UAC and was turned off within the hour.

    Now funnily enough do not use vista at all on the laptop lol.....

    Windows = Basterdiseing PCs everywhere.

  4. Anonymous Coward
    Thumb Down

    A title is required.

    "any changes made to the slider will prompt a pop-up that asks for user consent, even if your UAC alerts are set to "never notify," the company said."

    So, they are going to pop up a notification when *increasing* the setting? "You are about to increase the security of your system. Are you sure you want to do that?"

    Wha?

  5. JP Strauss
    Alert

    It's their own fault

    Microsoft's #1 problem IMHO is that their operating systems are too user friendly. This is certainly good for sales, but sucks when it comes to security. This is unfortunately necessary because your grandma hasn't the slightest idea what the difference between an OLEDB connection and a recycle bin is. So now they have to find increasingly more intricate ways of keeping script kiddies out of her email, while at the same time allowing her to delete her [win32] folder, if she wishes.

    Maybe they should try to imitate Ubuntu a bit more in this regard: you get to do almost anything you want in the realm of casual users, but things you aren't supposed to touch is hidden behind a root password.

  6. Mark

    re: It's their own fault

    "This is unfortunately necessary because your grandma hasn't the slightest idea..."

    Nope, the problem is that grandma doesn't want a computer. She wants something to email pictures of her grandchildren and look up cooking recipes on AOL. If she's the sort of grandma you posit.

    And Windows, to sell newer versions, is getting further and further away from that.

    However, have a look at the Nokia N800. Apart from being the wrong HARDWARE, it IS what gramma wants. It doesn't do as much out of the box but it does what Aunt Tillie needs and is secure BECAUSE of it.

    And only possible because there are "a hundred different Linuxes". One of which is tied down.

    Netbooks do the same.

    Windows can't do that since

    a) their OS doesn't modularise like that

    b) they won't be able to charge as much for the OS

  7. Jodo Kast
    Coat

    It's all about the egos at MS

    As per "Sinofsky and DeVaan blamed the response to DeVaan's original post on "poor communication." They said the changes were already in the works before this "discussion"."

    Huh? Who cares who's first? This is a red flag that egos are at play here, not facts, but egos.

    You'd think that after Vista, they would 'get over themselves', and realize that they aren't providing the customer what they want, they are not truthful about what the customer receives (see: Ultimate edition), and security is difficult for Microsoft to address.

  8. Anonymous Coward
    Thumb Down

    It's all in the OS

    (1) All programs operate in their own "sandbox" and can't touch other programs

    (2) All programs load in their own folder...no hidden files...no boot sector...no rootkit

    (3) No program executes without permissions being set

    (4) No program accesses interweb without permissions being set

    etc., etc., etc.

    I blame Microsoft for being stupid about their OS and what people need to be able to user it for.

  9. Kevin Bailey

    I'm genuinely puzzled

    What's the problem with UAC?

    It works perfectly (and I mean perfectly) on Linux distros.

    You use your PC - if you need to install software or change anything important such as network settings or user accounts you need to supply the admin password.

    I've used Linux workstations and servers for years and never found the requests intrusive. And in fact it's great to know that as a normal user simply can't damage the OS.

    Is this to do Windows users running as admins? - why not simply only allow normal user accounts and have a single administrator account which is used when needed?

    And to save typing they could user a shorter name than Administrator - why not use a nice short name - I would suggest 'root' as this user would have control of the 'root' of the system.

    And I'd change the home folders base from 'Documents and Settings' - the spaces can cause problems. I think Vista has started fixing this old error by calling it 'Users'. But what if there is only a single user account. 'Users' is plain wrong, inelegant.

    Let's think, a home sometimes of settings, a home sometimes of data, a home for users stuff in general. Hmmmm... Not sure - will come back to you on that one.

  10. Anonymous Coward
    Flame

    "Protected files" everywhere

    "while at the same time allowing her to delete her [win32] folder, if she wishes."

    That is BS and obviously you've never tried to actually do that.

    On the contrary: every f**ing file or directory MS labels as a "system file" is "protected from tampering", meaning you can't delete, change or rename it. You can't change the classification, either, that's proprietary MS-right, you (as the system owner) have none. Which is good reason to shoot MS-people by itself.

    Outlook, IE, "MSN Gaming zone", "Microsoft Office", "Netmeeting", "Plus!", "Windows Update", almost everything in system32-directory, "temporary internet files"-directory, all of the DRM-BS, most of the hlp-files(!), many of the (not necessary) services, the list is very, very long and most of those are just crap or MS spyware. Which of course explains why you, the luser, may not remove them. The fact that you own the machine means nothing, the MS owns you by their os-lookalike.

  11. Anonymous Coward
    Jobs Horns

    Root sits in Redmont.

    "I would suggest 'root' as this user would have control of the 'root' of the system."

    Ah the irony. In any MS-system the root (in the unix-sense of the word) sits in Redmont, you can have none of that. A luser by other name (Administrator) is still a luser.

    You'd need "SYSTEM"-account to be something like root and it as far as I know, it can't log interactively at all. If it could, it (the password) would be hacked in 10 minutes, no matter if passwords are given or not.

  12. kain preacher

    @AC

    On the contrary: every f**ing file or directory MS labels as a "system file" is "protected from tampering", meaning you can't delete, change or rename it. You can't change the classification, either, that's.

    Hmm never had an issue deleting a file. Oh I guess right click and changing the properties of file does not work hmm :)

  13. Allan Dyer
    Black Helicopters

    @JP Strauss

    "Microsoft's #1 problem IMHO is that their operating systems are too user friendly."

    I'd expect a friend to warn me when I was going to do something stupid. Damn newspeak.

  14. Anonymous Coward
    Anonymous Coward

    System acc

    "You'd need "SYSTEM"-account to be something like root and it as far as I know, it can't log interactively at all. If it could, it (the password) would be hacked in 10 minutes, no matter if passwords are given or not"

    I think it is (although i'm not 100% i'm talking sense here) but explorer and cmd seem happy to run as SYSTEM with some minor encouragement

  15. Anonymous Coward
    Anonymous Coward

    Re: Brett Brennan

    I agree with much of what you say- bearing in mind almost all *nix based systems manage security better than windows and in a more convenient/user friendly way, I'm surprised MS have such issues implementing something like UAC in a sensible manner.

    If it's true to say that a great swathe of Windows malware and security risks could be eliminated by preventing users running as admin, surely the *nix approach would be worth adopting? Make it so a new PC wouldn't complete setup without selection of a reasonably strong password, force the user to run as a user, and then that'd free folks up to focus on the social engineering-syle website attacks.

    At the moment, MS is responding to attacks by issuing cleanup tools and patches post-infection, a simple challenge to silent payload delivery and execution would enable them to redeploy that resource into something that is revenue generating, rather than revenue defending.

    For god's sake, every time some new malware emerges that sidesteps Windows security, millions of dollars are spent trying to fix the problem, repair the damage and then retrofit a preventative measure- you would have thought that governments would have declared OS insecurity as a national security risk by now.

    Or are the Redmond egos too big to admit that Jobs and la Penguinista's had this right before they did?

This topic is closed for new posts.

Other stories you might like