Windows 7 security faces growing criticism

Microsoft is facing increasing heat over the security implications of a change designed to make Windows 7 more user-friendly than its predecessor.

One of the chief complaints with Windows Vista is frustration with all the warnings that pop up to notify users that changes are being made to the operating system. With Windows 7, Microsoft has changed the feature so that users see fewer messages by default and also so they have more control in deciding how often they are notified.

The problem, say some, is that by making the prompts less frequent by default, Microsoft is potentially paving the way for malicious software to make changes without the user's consent.

Unlike with Windows Vista, where users were alerted of all major changes to their system, the default setting in Windows 7 provides users with warnings only when it is a piece of software on its own making the changes.

Blogger Long Zheng has detailed several issues he says are created by that change. Last week, he noted that the changes could allow for malicious code that would turn the prompts off entirely without warning the user.

In recent days, Zheng said he notified Microsoft of a second issue in the Windows 7 beta, which he went public with on Wednesday. The latest issue, he says, could allow a program to elevate its rights to administrator level without properly notifying the user.

Microsoft said that second issue, which would still require malware to make it onto a system, has been fixed in a more recent build of Windows 7 issued internally. That fix is likely to make its way to the public when Microsoft reaches its next public milestone, a so-called "release candidate" build.

As for the broader issue with regards to the User Account Control (UAC) feature, Microsoft says the criticisms don't take into account real-world behaviour. With Vista, the prompts were seen as so annoying by average users that many were ignoring the warnings or turning them off entirely, said Jon DeVaan, the head of Microsoft's core operating-system development unit.

"It is pretty clear that we drove... that behaviour," DeVaan said in an interview on Wednesday.

He likens it to a recent move by his bank to increase its security measures. By making the system harder to use, DeVaan said the main change in behaviour it prompted was for him to consider changing banks.

Although in the abstract it may seem like Microsoft is making the system less secure by default, DeVaan said the company's real-world testing shows users will pay more attention to the prompts when they see fewer of them.

DeVaan also said the recent wave of criticism ignores the advances Windows 7 has made in reducing the likelihood of malware making it onto the system in the first place. Internet Explorer 8, which is built into Windows 7, offers protection against new types of attacks, such as clickjacking.

"Those are designed to help people know before someone is trying to compromise the system," DeVaan said. "In the current feedback we are seeing from people, there has not been any addressing of those parts we have improved."

Mounting concerns
Still, some critics say the changes to UAC are ill-advised.

"You are trading some security for the benefit of fewer prompts," said John Moyer, chief executive of BeyondTrust. Moyer, whose firm creates software to allow businesses deeper control over which applications get elevated privileges, has been a longstanding critic of the degree to which the UAC feature can mitigate security risks.

Chris Wysopal, chief technology officer at security provider Veracode, said while the changes Microsoft made in ratcheting down the security feature don't constitute a vulnerability in the true sense of the word, they do create a risk for end users.

"Microsoft has chosen by design to include a setting in the UAC, which really renders UAC off, since at medium setting malware could turn it off. It's not clear that they thought through all the implications of the medium setting," he said. "The confusion stems from the fact that this is the medium setting, not off, but its behaviour can lead to it being turned off by malware. If the user thinks they are getting some protection with this setting but they are not, it is a problem."

Yet others acknowledge that the issue of how and when to prompt users is a thorny one.

"Security and usability are often a trade off, unfortunately," said McAfee spokesman Joris Evers. "If you get heavier locks and security on your house, it often takes you a bit more time to get in and out. If it is too much work every day, you may end up removing some of the locks, or leaving them unlocked, for convenience."

Nitesh Dhanjani, a security expert and senior manager at Ernst & Young, said even if its goals were laudable, there is probably more work that Microsoft can and should do.

"Even though the Windows 7 team has made good choices in reducing the number of UAC prompts, I feel there are further improvements they can make, such as mapping hardware events to software events to further reduce user interaction," Dhanjani said. "I can see how this may be a more complex solution than what it immediately appears to be."

Some have suggested that Microsoft should change the default setting so that, at a minimum, changes to the UAC settings, would always require user approval.

DeVaan said Microsoft is still evaluating whether it will make changes to either the UAC settings or to the default option before the operating system is shipped in final form.

"We're taking every piece of feedback seriously and carefully considering it," he said.

CNET News.com's Elinor Mills contributed to this report.