UAC Flaw — MS listens, promises to fix.

Good news on the User Access Con­trol flaw I wrote about a few days ago — the Win­dows 7 engi­neers have promised to fix it in the release can­di­date, and have gone even fur­ther in the fix than was asked.

The addi­tion­al pro­pos­al is to run the User Access Con­trol pan­el in a mode where oth­er pro­grams can­not manip­u­late it with­out first gain­ing ele­vat­ed rights. This should put and end to any poten­tial exploit via this route.

Good to see the engi­neers respond­ing to this. The fact that they had to, how­ev­er, leads me to won­der if they’re not a lit­tle insu­lat­ed – they talked about “Cus­tomer Dri­ven Engi­neer­ing” in their pre­vi­ous post clar­i­fy­ing their views on the flaw (now changed of course) but sure­ly a lit­tle bit of com­mon sense and engi­neer­ing expe­ri­ence should have told them that this was wrong, regard­less of what the behav­iour­al mon­i­tor­ing they per­formed sug­gest­ed?