Microsoft insist Windows 7 UAC security flaw is "by design"

About the UAC security flaw in Windows 7 (download link), a Microsoft spokesperson claims this is “not a vulnerability”, and is intended behavior and again indicates will not be changed. Here’s an email excerpt: This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. […]

About the UAC security flaw in Windows 7 (download link), a Microsoft spokesperson claims this is “not a vulnerability”, and is intended behavior and again indicates will not be changed. Here’s an email excerpt:

  • This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)