Microsoft admits it messed up Windows 7 security

Davey Winder
Friday, 06 February 2009 15:24

IT Industry - Market

Having spent all week denying that there actually was a vulnerability at all, or indeed that the UAC implementation within Windows 7 presented any kind of security threat to users, Microsoft has just made an astonishing U-turn.

The official Windows 7 Engineering Blog now carries a new statement which seems to suggest they got it wrong.

The statement starts "...at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature."

Fair play to Microsoft, as far as the UAC affair goes it admits "we’ve managed to do both."

And so eventually Microsoft admit that they will make changes, two changes in fact, to the Windows 7 Release Candidate.

Change 1: the UAC control panel will run in a high integrity process, which requires elevation.

Change 2: changing the level of the UAC will also prompt for confirmation.

Today Zheng writes that the Microsoft U-turn is "slightly better than what I had hoped for" and explains that by running the UAC control panel in high-integrity mode "malicious applications cannot manipulate the user-interface of that window without first elevating itself."