The beta of the next release of Windows has been making rounds and has garnered mostly positive reviews as a beta with most people having good things to say about performance. Windows 7 essentially addresses the short comings of Windows Vista and top on the list of Vista’s transgressions is the User Account Control (UAC) feature which was intended to make Windows more secure but it proved to be too zealous in its prompts for permissions. Changes in Windows 7 aim to reduce the number of prompts that UAC asks for but so far this may have led to a less secure configuration on the next release of Windows.
According to two Windows enthusiasts, the current configuration of UAC on the beta version of Windows 7 makes the next release of Windows vulnerable. One of these threats allows malware to turn off UAC. A nasty piece of code would take advantage of your Windows 7 box without any protest from your system. The second flaw allows malware to elevate its permission on the system. The details of the second exploit can be found here. It basically take advantage of the fact that processes that ship with Windows 7 are allowed to automatically elevate their permissions on the system without any UAC prompt. However it is possible to use a binary that ships with Windows 7 to launch a third party program which can be a malware thus allowing malware free pass into your system.
The incredible and perhaps scary bit of this drama is Microsoft’s response to these flaws: so far, the response from Microsoft is that these two issues are not flaws but are there by design. In what world does make it sense to insist that an apparent security vulnerability is there by design, unless the intention was to have a vulnerable design from the outset. I don’t buy that “by design” argument as it seem to be based on the fact that there is absolutely no way that malware can find its way into a Windows 7 system in the first place thus making it all right to make flawed design choices.
The reaction to and interest in Windows 7 has been phenomenal to say the least and personally I was impressed by the fact that Microsoft is getting the benefit of what comes as part of the open source software development: community support and involvement in software development. These two security issues were raised by Windows enthusiasts and raised using a beta release for that matter; the upside is that this gives Microsoft the chance to fix the vulnerability before releasing Windows 7. More importantly fixing the vulnerability would be important in cementing relationship between Windows hackers from the broader end user community and Microsoft such that cooperating towards securing Windows becomes an imperative of everyone in the Windows ecosystem.
UAC in Windows Vista was annoying but I have always thought I much rather get used to the annoyance of UAC than to suffer malware infestation which would dramatically increase the amount of time I spend baby sitting Windows. The UAC changes in Windows 7 are implemented to lessen the annoyance that was in Vista but there exists a real threat of these changes causing Windows 7 to become less secure. It is a delicate balance between security and usability and missing that balance can shape end user’s reaction to a product. How Microsoft deals with this so called by design flaw can possibly shape people’s attitude towards Windows 7. To Microsoft the more important question is how many people are willing to hang on to Windows XP because of the perceived vulnerabilities in Windows 7.