'Less annoying' Windows 7 security paves way for malware?

Microsoft is facing increasing heat over the security implications of a change designed to make Windows 7 less annoying than its predecessor.

One of the chief complaints with Windows Vista is frustration with all the warnings that pop up to notify users that changes are being made to the operating system. With Windows 7, Microsoft has changed the feature so that users see fewer messages by default and also so they have more control in deciding how often they are notified.

The problem, say some, is that by making the prompts less frequent by default, Microsoft is potentially paving the way for malicious software to makes changes without the user's consent.

Unlike with Windows Vista, where users were alerted of all major changes to their system, the default setting in Windows 7 provides users with warnings only when it is a piece of software on its own making the changes.

Blogger Long Zheng has detailed several issues he says are created by that change. Last week, he noted that the changes could allow for malicious code that would turn the prompts off entirely without warning the user.

In recent days, Zheng said he notified Microsoft of a second issue in the Windows 7 beta, which he went public with on Wednesday. The latest issue, he says, could allow a program to elevate its rights to administrator level without properly notifying the user.

Microsoft said that latter issue, which still would require malware to make it onto a system, has been fixed in a more recent build of Windows 7 issued internally. That fix is likely to make its way to the public when Microsoft reaches its next public milestone, a so-called "release candidate" build.

As for the broader issue with regards to the User Account Control (UAC) feature, Microsoft says that the criticisms don't take into account real-world behaviour. With Vista, the prompts were seen as so annoying by average users that many were ignoring the warnings or turning them off entirely, said Jon DeVaan, the head of Microsoft's core operating system development unit.

"It is pretty clear that we drove...that behaviour," DeVaan said in an interview on Wednesday.

He likens it to a recent move by his bank to increase its security measures. By making the system harder to use, DeVaan said the main change in behaviour it prompted was for him to consider changing banks.

Although in the abstract it may seem like Microsoft is making the system less secure by default, DeVaan said that the company's real world testing shows that users will actually pay more attention to the prompts when they see fewer of them.

DeVaan also said that the recent wave of criticism also ignores the advances that Windows 7 has made in reducing the likelihood of malware making it onto the system in the first place. Internet Explorer 8, which is built into Windows 7, offers protection against new types of attacks, such as clickjacking.

"Those are designed to help people know before someone is trying to compromise the system," DeVaan said. "In the current feedback we are seeing from people, there has not been any addressing of those parts we have improved."

Still, some critics say...

Click here to read page two of this article