UAC fix in Windows 7 creates security hole, blogger says

31.01.2009
A change that Microsoft made in Windows 7 to improve its controversial User Account Control security feature has left the new OS less secure, according to a blogger who follows Microsoft closely.

Microsoft made the change to UAC, a feature that was introduced with Windows Vista, to make it more user-friendly in Windows 7. But the change has allowed for "a simple but ingenious override" that disables UAC without any action on the part of the user, according to the I Started Something blog written by longtime Microsoft watcher Long Zheng.

Microsoft added UAC to Vista in an effort to improve its security and give people who are the primary users of a PC more control over its applications and settings. UAC prevents users without administrative privileges from making unauthorized changes to a system. But because of how it was set up in Vista, UAC sometimes prevents even authorized users from being able to access applications and features they should normally have access to.

It does this through a series of screen prompts that ask the user to verify privileges, and it may require them to type in a password to perform a task. This can interrupt people's workflow, even during some mundane tasks, unless they are set as Local Administrator. The UAC prompts became so problematic that Apple even spoofed them in a television commercial, and Microsoft vowed to improve the feature in Windows 7.

Windows 7 is still in beta and not expected to ship until late this year or early next. Microsoft released the beta earlier this month and outlined the changes to UAC on the .

The changes revise the UAC's default setting, and that is where the security risk lies, according to Zheng.