Talk about a 180: Microsoft (MSFT) now acknowledges changes may be necessary in the way Windows 7 handles security, and the company is promising to implement two changes to the upcoming “release candidate” version of the OS to address concerns raised by hackers.
The brouhaha started two days ago when bloggers Long Zheng and Rafael Rivera raised questions about the way the security-managing “User Access Control” might be disabled by malware, leaving a PC vulnerable to further attacks.
In response, Microsoft yesterday insisted Windows 7 was fine, attributing possible concerns about the Windows 7 UAC to amateurish “misconceptions” from people who don’t really know anything about PC security. Hackers flooded Microsoft’s post denying anything was wrong with comments that maybe, just maybe, Microsoft was just being stubborn about refusing to implement a simple change that would make Windows 7 much more secure.
That stubbornness is now gone. In a contrite follow-up post, Microsoft engineers now plead they “messed up” their handling of the Windows 7 security questions:
We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we’ve managed to do both. Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed. That’s not the dialog we set out to have and we’re going to do our best to improve.
The company is promising to implement two changes to the next version of Windows 7, including:
First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.
Bravo to Microsoft for their new approach, bravo. No one can reasonably expect the Windows 7 Beta to be perfect — finding and squashing bugs is why you have Betas in the first place. But it was an alarming sign that when the company was faced with its first real round of criticism, its gut instinct was to act imperious and dismissive, angry anyone dare suggest any fault might exist with the Windows 7 code. We like this new approach — open to feedback, flexibile, and success-oriented — much better.
We’re still waiting to see whether the critics are satisfied their concerns have been fully met. And with no “Beta 2”, only a release candidate, Microsoft may find itself in a tight spot if the next version of the UAC has problems too. But we’re suddenly a lot more confident Microsoft won’t allow a malware-vulnerable Windows 7 to market.