ITWire

Home Industry Market Microsoft admits it messed up Windows 7 security

Microsoft admits it messed up Windows 7 security

Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


Following a week where no less than two security flaws were reported in Windows 7 which were officially dismissed and not constituting a vulnerability, it seems there has now been a rather huge change of mind at Microsoft and a frankly astonishing confession.

Microsoft has been at the sharp end of the flawed security stick this week, and the funny thing is it seems that they both made the stick and have been responsible for the continued prodding with it.

In an attempt to make all six versions of Windows 7 less irritating than Vista, Microsoft decided to change the default action of the User Account Control (UAC) feature so that it no longer pops up for permission every time changes are being made to the OS.

People have been asking questions of Windows 7 security for some time, so it should come as no surprise that it did not take long for the security research community to twig that this could be a little on the silly side when talking about system security.

The problem being that by allowing certain digitally signed third party executables to bypass UAC by default, Windows 7 becomes exposed to the potential of piggybacked third party code.

Malware can exploit elevated instances of rundll32.exe to point to malicious payloads which inherit the UAC OK from the parent process.

One researcher, Long Zheng, writes about how he developed a fully functional proof-of-concept app in VBScript to easily disable UAC entirely.

So that is two UAC related Windows 7 security flaws in a single week. You might think that Microsoft would take them seriously, very seriously indeed.

Yet the initial response was one of total denial: "Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent" said spokesman Jon DeVaan.

More detail about the Windows 7 security flaws and more on that Microsoft U-turn follows on page 2...

STORY CONTINUES

RECRUITMENT & RETENTION REPORT 2013

HIRE OR FIRE? BUY OR BUILD

2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.

If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.

GET YOUR REPORT NOW

Davey Winder

More in this category: « Global mobile phone market in freefall IT& jobs market devastated by worst ever plunge in January »
back to top


Services

Company

Community

Connect

http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=tf&c=19&mc=imp&pli=5460041&PluID=0&ord=[2000]&rtu=-1