User Access Control security flaw in Windows 7 beta

Sac­ri­fi­cing secur­ity for usab­il­ity: UAC secur­ity flaw in Win­dows 7 beta:

By default, Win­dows 7’s UAC set­ting is set to “Noti­fy me only when pro­grams try to make changes to my com­puter” and “Don’t noti­fy me when I make changes to Win­dows set­tings”. How it dis­tin­guishes between a (third party) pro­gram and Win­dows set­tings is with a secur­ity cer­ti­fic­ate. The applications/applets which man­age Win­dows set­tings are signed with a spe­cial Microsoft Win­dows 7 cer­ti­fic­ate. As such, con­trol pan­el items are signed with this cer­ti­fic­ate so they don’t prompt UAC if you change any sys­tem set­tings.

The Achilles’ heel of this sys­tem is that chan­ging UAC is also con­sidered a “change to Win­dows set­tings”, coupled with the new default UAC secur­ity level, would not prompt you if changed. Even to dis­able UAC entirely.

Whoops. This one is a bit of a showstop­per. I’m very happy with the re-ima­gined User Access Con­trol in Win­dows 7 (I believe it’s pretty much what it should have been in Vista) but this def­in­itely needs fixed. I agree com­pletely with Long Zheng’s pro­posed solu­tion:

Microsoft can imple­ment without sac­ri­fi­cing any of the bene­fits the new UAC mod­el provides, and that is to force a UAC prompt in Secure Desktop mode whenev­er UAC is changed, regard­less of its cur­rent state. This is not a fool-proof solu­tion (users can still inad­vert­ently click “yes”) but a simple one.

(Via I Star­ted Some­thing.)