back to article January's Windows 7 hole still open

A security hole in Windows 7, highlighted by a blogger back in January, is still wide open and Microsoft is showing very little interest in closing it. Of course the software is only in beta right now, but the full release is due in August. An Aussie blogger spotted the problem with User Account Control back in January. John …

COMMENTS

This topic is closed for new posts.
  1. The Original Ash

    Ahhh...

    I always thought the age-old joke about Microsoft "Undocumented Features" was *just* a joke!

  2. Toastan Buttar
    Thumb Up

    By design

    Didn't MS state back in Jan that this was the 'intended behaviour' and that they weren't going to change it ?

  3. David 146

    It isn't the same issue

    The issue described in January was a SendKeys vulnerability: that UAC wasn't prompting the user when UAC was disabled.

    The current issue is different and relates to priviledge escalation due to "pre-trusted" apps like explorer.exe allowing their memory to be altered by other unprivileged processes.

    Also, Long didn't write the code, he just reposted it.

  4. Anonymous Coward
    Alert

    More information...

    "But 21-year old Long Zheng created proof of concept code which can remotely switch UAC off without informing the user."

    Long Zheng is a very good writer (his blog is far more accurate than some crappy IT websites), but he's not a software developper. The flaw has been discovered by Leo Davidson, and he's the one who released the proof of concept code.

    Anyway, the good news is that IE users are protected against this flaw if a malware tries to exploit an unpatched flaw in Internet Explorer, flash, or adobe reader, since Internet Explorer and its plugins run in low integrity more (aka Protected Mode).

    However, safari and firefox users are at risk, since a flaw in their browser or in one of their plugin would allow a malware to gain administrive privileges through this UAC flaw.

    This UAC flaw resides ONLY in the default uac setting. Setting the UAC at the highest level will make this flaw NON-EXPLOITABLE.

    So; Microsoft could fix this flaw using the same UAC setting as Vista, but people don't like to see elevation prompts when they do administrative tasks (they wouldn't like linux either ^^).... so Microsoft is listening them and UAC is now useless (except for IE users who still benefit from the protected mode).

    The flaw itself cannot be fixed because il would stop some programs from working.

  5. Adam Salisbury

    Reaction

    It'll be interesting to see what their reaction is, by design or not, it's still a gaping hope which now has to be plugged as the code's in the wild

  6. Anonymous Coward
    Black Helicopters

    "The flaw itself cannot be fixed because il would stop some programs from working."

    "The flaw itself cannot be fixed because il would stop some programs from working."

    Er, Microsoft frequently make OS changes which stops programs working. Why should this flaw not be one of them?

    [Black helicopters, no explanation should be needed, all right?]

  7. Mike 61
    Gates Halo

    but M$ said so

    So it must be true. I mean sure there is a chance that if you use Firefox or safari that you could be at risk, but nobody actually uses those browsers. Everyone on the planet uses Internet Explorer, so no worries. And certainly no one would set this control to low or off just to avoid being prompted for permission every time you touch your keyboard or click your mouse, would they. Microsoft is never wrong and their systems are rock solid. Just ask them. I will follow them down the garden path of upgrades from XP to vista to 7 just like they told me I should because, after all Microsoft knows what is best for me, and you too. Maybe I should look into a volume license, because after all I want to spread the joy to all the people I know. Everyday at the appointed time of 4:20 pm I bow down toward Redmond and pray to my god bill and all he represents. forgive me for my doubts my lord bill, and please smite the evil penguin.

  8. Inachu
    Thumb Up

    Anon control to UAC should be denied.

    Microsoft calls this allowable?

    Whew let me make up an internet script that will remotely connect to random IP addresses and send the command to turn off UAC all over the internet! YAY this will be so fun and legal since Microsoft wants it this way by design.

    Microsoft really does love spooks!

  9. Chris Williams 1
    Coat

    Very Handy!

    So now there's a UACC: User Account Control Control.

    That will come in handy!

  10. studentrights
    Jobs Halo

    Sweet Justice

    I guess it's not just Apple that goes on for months without plugging security issues. Sweet justice...

  11. Anonymous Coward
    Happy

    @ Mike 61

    I understand why you bow toward Redmond everyday but why at 4:20 pm? Please explain.

  12. Pete 48
    Dead Vulture

    Windows 7 Development Stage

    Windows 7 _is not_ Beta, it is RC1

    http://en.wikipedia.org/wiki/Software_release_life_cycle

    please refer to the diagram on the right.

  13. Mike 61
    Flame

    @420 pm

    http://en.wikipedia.org/wiki/420_(cannabis_culture)

    flames because, well...

  14. Lee 32
    Stop

    It's a fracking beta!

    I can throw hate at MS just like everyone else, but give me a break. When I downloaded Windows 7, it came with disclaimers abound. They have no legal and moral responsibility to patch beta software. If you want to run a beta you should be able to understand the risks.

This topic is closed for new posts.

Other stories you might like