Microsoft under spotlight for Windows 7 security 'flaw'

A security researcher has claimed that there is a major flaw in the Windows 7 beta which he alleges Microsoft is planning on leaving as is in the full version.

Long Zheng, security researcher and blogger for istartedsomething.com, says that there is a problem with the UAC (User Access Control), designed to monitor a computer and notify a user when a programme attempts to alter the system.

On the Windows Vista platform it was meant to protect against malware, but caused problems due to the barrage of pop-up dialogue boxes it created. Some users turned it off, effectively negating its existence.

On the Windows 7 Beta, UAC was changed so it could distinguish between third-party software and system applications by checking for security certificates. If the process or application has the right certificate it will not cause a prompt to appear.

However, Zheng said the problem with the Windows 7 beta is that UAC can now be controlled through system settings and completely disabled without user interaction. He even posted 'proof' of his claims.

He said there was a simple fix to the problem, but claimed Microsoft had replied saying “it is not a vulnerability”.

He said on the blog: “The whole reason why I had made the “issue” public was because private Windows 7 beta-testers were frustrated at how Microsoft treated their concerns, but it seems like it hasn’t changed.”

Zheng later updated his post, clarifying how the vulnerability can occur, adding that users must be in the “Administrative” user group, not just the “Standard” user group to be able to affect things.

At the time of writing, Microsoft had not responded to our request for comment on the issue.

Email to a friend

Print this page