Fri, Jan 30 2009 17:56
Do the right thing
Remember my concern that UAC's adjustment bar default setting was too low and should start out at high and the the person could adjust it?
Turns out there's a bigger problem than just my concern:
If you don't want to dive into all of those links, just click on the first one.
Think of what it's saying. That as Windows 7 stands now, malware can be scripted to lower the UAC slider bar all the way off and you'd never get notified that malware was doing this.
Now before those say that you are adults and you don't need UAC to be bothering you with black screens and prompts, I know you are an adult. But malware doesn't play fair. So why in the world should Microsoft make that slider bar NOT notify WHENEVER there is a change to the UAC setting. What you can't even handle that as that's too much of a bother or something? Then go buy a Mac. Seriously. And every time you update the software and type in a password for Mac's version of UAC, I'm going to remind you that it's no different.
Is UAC Emasculated in Win7? - Security Watch:
"This is a serious problem for UAC, but UAC is not the only security feature in Windows 7. It's also worth noting that the version affected by this is a beta, and Microsoft has ample opportunity to fix it. In fact, Zheng proposes a fairly simple and obvious fix: The control panel which changes UAC settings, the one which Zheng's attack abuses, should require confirmation in secure desktop mode. That way the attack couldn't automate it."
"It's surprising that Microsoft overlooked this in the first place, but odds are it will be fixed somehow before Windows 7 hits the shelves."
I hope he's right. Are you listening Mr. Sinfosky? We're expecting you to do the right thing by Windows 7. Joe Wilcox may thing that Windows 7 is the greatest thing since sliced bread, but as a current user, buyer, deployer of Windows Vista in production, in my office, I am honestly disappointed with some of the choices I see in Windows 7.
I get it that you had to give choices back in Windows 7. I get it that a slider bar was needed to give people back that choice. I get it that UAC felt too heavy handed for folks used to eons of Administrator rights. I get it that you had to do something to give people back choice. But you went too far. The pendulum is swinging back in time too much.
The bad guys are one step ahead of us and if you leave the current UAC implementation, I'm concerned that they are now two steps ahead.
Do the right thing by your customers and ensure that each change of the UAC bar gets the human interaction it needs, and not subject to malicious software interaction instead.
Filed under: Security