UAC Flaw Continues to Exist in Windows OS
A Microsoft blogger who some time back pointed out to a security flaw within Windows 7's UAC (User Account Control) says the flaw continues to remain and Microsoft has declined to patch it despite the company is at the ultimate stage of code completion for the OS.
While at the Windows 7 beta stage, security investigators had revealed serious vulnerabilities in UAC that could result in vital problems and Microsoft though initially reluctant, finally issued the patches for them.
Blogger Long Zheng associated with his well-known "I Started Something" blog reveals that the UAC security feature that was first developed for Windows Vista to establish user rights on a Windows 7 computer could be effectively exploited, as reported by PCworld on June 17, 2009.
Citing an instructional paper by Mark Russinovich Technical Fellow of Microsoft that elaborates on UAC, Zheng says the paper very plainly states that Microsoft is not even thinking about fixing a modification it introduced in Windows 7 UAC thus lessening security for the latest OS. Some remote person could turn off the UAC while the user could remain ignorant.
Zheng first called attention to this modification and its loophole in February 2009 when the expert explained that the security problem exists within the newly introduced UAC default setting for a normal user that doesn't inform the user about the modifications done in Windows settings. When UAC is modified, it is as if Windows settings have been changed. Therefore, if UAC is turned off, a user will not be informed. Evidently, Zheng stated that he knew how to disable UAC remotely through certain code and keyboard shortcuts.
Apart from malware, the issue also involves developers of third-party software who by using their programs could write codes for Windows 7 software that work in administrative form and don't produce UAC alerts. For some companies this could even be a method to sell software that is 'less annoying,' although that could shake the faith in Windows environment.
Meanwhile, it is believed that the UAC vulnerability is hot and ready-to-burst when the next Microsoft OS finds release.
Related article: US Passes Baton to Asia in Spam Relay
» SPAMfighter News - 26-06-2009