Microsoft has sent me a statement about the UAC “issue” in Windows 7 that was raised by bloggers Rafael Rivera and Long Zheng. Long story short, it’s not a vulnerability. Here’s the full statement:

  • This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings.  This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User.  Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented).

There you go.