User Access Control security flaw in Windows 7 beta

Sac­ri­fic­ing secu­ri­ty for usabil­i­ty: UAC secu­ri­ty flaw in Win­dows 7 beta:

By default, Win­dows 7’s UAC set­ting is set to “Noti­fy me only when pro­grams try to make changes to my com­put­er” and “Don’t noti­fy me when I make changes to Win­dows set­tings”. How it dis­tin­guish­es between a (third par­ty) pro­gram and Win­dows set­tings is with a secu­ri­ty cer­tifi­cate. The applications/applets which man­age Win­dows set­tings are signed with a spe­cial Microsoft Win­dows 7 cer­tifi­cate. As such, con­trol pan­el items are signed with this cer­tifi­cate so they don’t prompt UAC if you change any sys­tem set­tings.

The Achilles’ heel of this sys­tem is that chang­ing UAC is also con­sid­ered a “change to Win­dows set­tings”, cou­pled with the new default UAC secu­ri­ty lev­el, would not prompt you if changed. Even to dis­able UAC entire­ly.

Whoops. This one is a bit of a show­stop­per. I’m very hap­py with the re-imag­ined User Access Con­trol in Win­dows 7 (I believe it’s pret­ty much what it should have been in Vista) but this def­i­nite­ly needs fixed. I agree com­plete­ly with Long Zheng’s pro­posed solu­tion:

Microsoft can imple­ment with­out sac­ri­fic­ing any of the ben­e­fits the new UAC mod­el pro­vides, and that is to force a UAC prompt in Secure Desk­top mode when­ev­er UAC is changed, regard­less of its cur­rent state. This is not a fool-proof solu­tion (users can still inad­ver­tent­ly click “yes”) but a sim­ple one.

(Via I Start­ed Some­thing.)