Microsoft promises User Account Control fix

Windows 7 will include two changes designed to shore up security around UAC

Microsoft has agreed to fix the controversial User Account Control security setting in its Windows 7 operating system.

Jon DeVaan, Windows core operating system senior vice president, and Steven Sinofsky, senior vice president of Windows, said in a blog posting that Microsoft will increase the protection around the UAC component in the upcoming version of Windows.

The security of UAC became a hot topic with developers and early users of the operating system after a pair of researchers posted a proof-of-concept sample which was said to completely disable UAC protection without user notification.

Microsoft later responded to the reports, claiming that it was not a true security vulnerability and that a user would have to be already infected for the attack to work.

In the latest statement on the issue, however, Microsoft has apologised for the way the situation was handled.

"We said we thought we were bound to make a mistake in the process of designing and blogging about Windows 7," Sinofsky and DeVaan wrote.

"We want to continue the dialogue, and hopefully everyone recognises that engineering, perhaps especially engineering Windows 7, is sometimes going to be a lively discussion with a broad spectrum of viewpoints expressed."

Sinofsky and DeVaan confirmed that the Release Candidate of Windows 7 will include two changes designed to shore up security around UAC.

The update will elevate the status of UAC to a high integrity process which requires an administrator-level account. Additionally, any changes to the UAC setting itself will require notification and user approval.

The updates to UAC appear to have addressed the complaints, but Sinofsky and DeVaan warned users that they would by no means bring total security to Windows 7.

"The feedback is that UAC is special because it can be used to silently disable future warnings if that change is not elevated, so to change the UAC setting an elevation will be required," the pair wrote.

"We also don't want to create a sense or expectation of security that is not there. You should still not download code and run it unless you trust the source."