Microsoft has sent me a statement about the UAC “issue” in Windows 7 that was raised by bloggers Rafael Rivera and Long Zheng. Long story short, it’s not a vulnerability. Here’s the full statement:
- This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
- Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
- UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
- The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
- In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented).
There you go.