UAC Flaw — MS listens, promises to fix.

Good news on the User Access Con­trol flaw I wrote about a few days ago — the Win­dows 7 engin­eers have prom­ised to fix it in the release can­did­ate, and have gone even fur­ther in the fix than was asked.

The addi­tional pro­posal is to run the User Access Con­trol panel in a mode where other pro­grams can­not manip­u­late it without first gain­ing elev­ated rights. This should put and end to any poten­tial exploit via this route.

Good to see the engin­eers respond­ing to this. The fact that they had to, how­ever, leads me to won­der if they’re not a little insu­lated – they talked about “Cus­tomer Driven Engin­eer­ing” in their pre­vi­ous post cla­ri­fy­ing their views on the flaw (now changed of course) but surely a little bit of com­mon sense and engin­eer­ing exper­i­ence should have told them that this was wrong, regard­less of what the beha­vi­oural mon­it­or­ing they per­formed suggested?