Microsoft blinks, and users of Windows 7 UAC win
Woody Leonhard By Woody Leonhard
In my Feb. 5 column, I took Microsoft to task for allowing any Trojan horse to silently disable the protection provided by User Account Control (UAC) in the soon-to-be-released Windows 7.
Microsoft execs initially implied that this problem wouldn't be fixed, but the company abruptly changed its tune and now states that UAC will be protected from sneaky changes. Bravo!
If you haven't been following the Perils of Pauline, UAC Edition, here's a quick summary:
User Account Control, a security feature introduced in Windows Vista, has long been vilified for its unnecessarily boorish behavior, requiring users to click, click, click repeatedly to accomplish mundane tasks. The beta version of Windows 7, fortunately, sports a new one-stop center that allows you to make UAC either more or less intrusive. Depending on the level you select, UAC tries to alert you to several kinds of changes that some unknown program may attempt to make to your system.
Windows' inability to distinguish changes you make yourself from those implemented by a potentially rogue program leads to an identity crisis. On his IStartedSomething blog, researcher Long Zheng published a very simple demo that reaches into the beta Windows 7 UAC center and changes settings without permission. Using Windows 7's default settings, Long's VBscript program can turn off UAC without the user's knowledge or consent.
That shouldn't keep you up at night — after all, such a rogue program could do more serious damage, such as spew a zillion e-mails from your PC, scan your storage devices for credit-card numbers, or reformat your hard drive. But the weakness of UAC in Windows 7 was enough of a flaw to make many people — present company included — feel queasy about it.
Microsoft does a double-take on Win7 update
In Microsoft's support forums, company officials responded to early complaints about Win7's UAC controls by claiming the behavior was by design and wouldn't be changed in the final, shipping version of the product. Then Long's program arrived with a thud and the problem, uh, "got escalated," in Micro-speak.
On the same day my article appeared, the official Engineering Windows 7 blog carried a very detailed explanation of the problem that was posted by Jon DeVaan. (His official title is senior vice president of Microsoft's Core Operating System, but I think of him as the incredibly smart guy who keeps the innards of Windows working.) Everything Jon says is quite accurate, technically — at least as best I can tell. But from a PR point of view, his analysis felt like a brushoff.
Later that day, Jon and his boss, Steven Sinofsky — whose title is senior vice president, Windows and Windows Live Engineering Group, but who's better know as the head Windows guy — posted a dramatically different response. By the time Windows 7 hits Release Candidate 1 status, Sinofsky promised, changes to the UAC settings will be possible only in elevated mode, which darkens the screen and requires a click. Independently, any UAC-level change will need the explicit approval of the user.
That nails the whole problem.
Sorting out the UAC winners and losers
In the end, everybody won — but probably not for the reasons you might think.
Windows 7 users won because Microsoft plugged a potential security hole before the product shipped. Cool!
More than that, Jon and Steven demonstrated that they can and do listen to customers, come up with good compromises, and promulgate changes quickly, even as a product is headed out the door. I've been beta testing Microsoft software for almost two decades, and I've never seen anything like it.
The most important win-win component? Microsoft's Engineering Windows 7 blog has opened a channel of communication we've never seen before, and it works wonders. Instead of waiting weeks or months to see what decisions have been made, we can get the official story immediately — give or take an edit by Microsoft's PR firm, anyway. The E7 blog was a brilliant idea, and it's been handled well.
I roast Microsoft so regularly that it's a pleasant change of pace to take my hat off to the company. Now, about those ActiveX controls ...
Woody Leonhard is working feverishly on Windows 7 All-In-One For Dummies. He writes the Woody's Windows column for Windows Secrets twice a month and comes up for air occasionally.
windowssecrets.com |
