Yesterday, two Windows bloggers set off a kerfuffle when they suggested security holes existed in Microsoft’s (MSFT) upcoming Windows 7. The report now has Microsoft responding to “misconceptions” about security in Windows 7 and insisting no changes need to be made to software.
But read the comments on Microsoft’s “Update on UAC” post — Windows fans aren’t at all convinced the matter has been settled.
Here’s the crux of the debate, Microsoft:
The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behaviour of UAC once malware has found its way onto the PC and is running.
Microsoft then makes a confusing second point, seeming to say the (alleged) malware vulernabilitiy only exists if users choose not be constantly barraged with security pop-ups.
We’re confused because security not working properly when users turn off the “Always Notify” option (read: constant Vista-esque alerts) is precisely the problem.
The second issue to untangle is about the difference in behaviour between different UAC settings… The recent feedback on UAC is about the behaviour of the “Notify me only when programs try to make changes to my computer” settings. The feedback has been clear it is not related to UAC set to “Always Notify.” So if anyone says something like, “UAC is broken,” it is easy to see they are mischaracterizing [sic] the feedback.
And once again we hear that most users aren’t vulnerable unless they run 7 in “administrator” mode, with the implication that anyone lacking the technical sophisitication to understand what “administrator” mode entails has whatever’s coming to them.
We admit the technical issues are over our head. But it’s Microsoft’s job to prove beyond reasonable doubt that Windows 7 is secure, and from our view on the sidelines (and reading the largely damning comments on Microsoft’s “Windows 7 is fine” post) we’re not entirely convinced Microsoft has made its case yet.
We’ll continue to monitor the debate, but consider this one unresolved.
UPDATE: A Microsoft spokesperson sent SAI this somewhat cryptic statement. We’re following up.
We are not aware of anyone impacted by this issue at this time, but it has already been addressed in a later internal beta build.
UPDATE 2: MIcrosoft add a bit more in a follow-up statement — It seems some type of fix for the problem Microsoft insists isn’t a problem is coming.
As is the case with any beta, Microsoft has later internal builds which it builds on as part of the development process. Since no one’s being impacted by this issue that Microsoft is aware of (you have to take action to have the malware get on your system to begin, with and we’re not hearing reports that’s happening), Microsoft won’t be releasing a separate update for this. But later releases of Windows 7 that Microsoft makes public will have the update addressing this built in.