Microsoft responds to Windows 7 security gripe

Microsoft is not classifying an issue in its UAC application as a security vulnerability

Microsoft has responded to public criticism of its User Account Control (UAC) system, and has confirmed that it will not classify the reported issue as a security vulnerability.

"The intent of the default configuration of UAC is that users do not get prompted when making changes to Windows settings," a company representative told vnunet.com. "This includes changing the UAC prompting level."

The statements follow a blog posting by researcher Long Zheng, who suggested that the warning features in UAC could be bypassed and even disabled by malicious code.

Microsoft pointed out that an attacker would have to had compromised a system already in order for this to happen.

"The only way this could be changed without the user's knowledge is by malicious code already running on the box," the representative told vnunet.com.

"In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)."

Zheng issued a second blog posting on Saturday addressing Microsoft's statements. "Microsoft's argument is entirely based on the user, which I agree to an extent. They have to download and execute such an application, but this can be a low-privileged application so it would have no warnings whatsoever," he wrote.

"How could a low-privileged application being able to turn off the entire privileged applications security layer not be a security flaw? Let me repeat: a low-privileged application. Some people seems to have missed that."

Microsoft declined to comment on whether Zheng's suggestions would be adopted or ignored, but a spokesperson told vnunet.com: "Microsoft has received feedback on UAC prompting behaviour, and has made changes in accordance with user feedback."