Microsoft has said that it will make changes to the way the User Account Control security feature works in Windows 7.
After getting feedback that Windows Vista prompted users to approve changes too often, Microsoft had decided to prompt users less frequently in Windows 7. However, in recent days, some enthusiasts and security experts warned that the specific changes Microsoft planned to make with Windows 7 could put users at risk.
Microsoft initially downplayed the risks and defended its choices around the User Account Control (UAC) feature. On Thursday, though, the company's two top Windows engineers said the company will make some modifications in response to the outcry.
Microsoft will not change the default setting (which is to notify users only when a program is making changes to their system). However, it will add an exception when changes are being made to the UAC itself. Starting with the upcoming release candidate version of Windows 7, changes to the UAC settings will require user approval, senior vice presidents Jon DeVaan and Steven Sinofsky said in a blog posting.
"With this feedback and a lot more, we are going to deliver two changes to the Release Candidate that we'll all see," the pair wrote. "First, the UAC control panel will run in a high-integrity process, which requires elevation. That was already in the works before this discussion ... Second, changing the level of the UAC will also prompt for confirmation."
When the issue was first raised last week, Microsoft issued a terse statement that basically said the feature was working as it was supposed to.
"This is not a vulnerability," Microsoft said. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level."
However, the criticism around the setting continued to build.
In an interview on Wednesday, DeVaan told ZDNet UK's sister site CNET News.com that Microsoft would consider changes. He also said that it believed that the discussion had lost sight of the fact that the issues being discussed only applied if a system was already compromised by malware.
Rafael Rivera, who along with blogger Long Zheng was among the first to write about the UAC issue, praised Microsoft for its eventual action.
"I'm happy to hear of the changes upcoming in the public Windows 7 Release Candidate build," Rivera said in an email. "Regardless of the reasons (behind the changes), the increase in security is a win for all Microsoft Windows users."
Zheng also praised Microsoft's move in a blog posting late on Thursday.
In their post, DeVaan and Sinofsky acknowledged their communication on the issue had been less than ideal. "Our dialog is at that point where many do not feel listened to, and also, many feel various viewpoints are not well-informed," the pair wrote.
Sinofsky and DeVaan said they expected a breakdown in communication to happen at some point, but said that they hoped the dialogue around Windows 7 would continue.
"We don't want the discussion to stop being so lively or the viewpoints to stop being expressed, but we do want the chance to learn and to be honest about what we learned and hope for the same in return," they wrote. "This blog has almost been like building an extra product for us, and we're having a fantastic experience. Let's all get back to work and to the dialog about Engineering Windows 7. And of course most importantly, we will continue to hear all points of view and share our point of view and work together to deliver a Windows 7 product that we can all feel good about."
Reviews of the beta version of Windows 7, which came out last month, have been largely positive, particularly around the performance and reliability of the product. Microsoft saw the first significant criticisms about Windows 7 this week, both in regard to the UAC feature as well as some dismay that the company will again offer at least six different versions of Windows 7 on its release.
Officially, the operating system update is due out before the end of January 2010. However, Microsoft's expected aim is to have Windows 7 out in time for it to be installed on computers on sale at Christmas.
For Windows 7, Microsoft won't change the User Account Control default setting (which is to notify users only when a program is making changes to their system), but it will add an exception when changes are being made to the UAC itself. (Credit: CNET News)
Talkback
For me, the current level of security on Windows 7 Beta is OK. A balance between security and convenience which is about right for a user who does ensure he is protected by a comprehensive Internet Security Programme providing a firewall, anti virus, anti malware , etc. etc. Comodo Internet Security is a good example but will not install on Windows 7. The Kaspersky beta for Windows 7 seems to be OK except that currently it has a lot of updates, each requiring a restart.
But then, I'm reasonably computer literate. Many other computer users are not and they do also require to be catered for. However, they likely will not understand a pletherer of intrusive questions to which they don't really know the answers anyway and will just say 'yes' regardless.
Then there are the business and commercial computers which need to be locked down completely. Again, there some small businesses which do not understand their computers very well either.
So there is no one size fits all and consequently Microsoft do, in fact, face a dilemma. Their proposed solution seems a reasonable, but not perfect, solution under the circumstances