Useless Account Control

Thursday, October 22, 2009

Sudha Nagaraj


In these days of heightened security awareness, I would think any and every operating system should boast of a robust anti-virus software suite. The fact that Microsoft released its much-awaited and highly proclaimed Windows 7 OS today without built-in anti-virus software continues to puzzle me.

The impending release of dramatic advertisements that highlight the security features of the OS make the exclusion doubly glaring. An old man is shown eulogizing Windows 7 for its 50-foot castle wall-type security, to an attentive boy. A wall of flames also springs up for good measure, surrounding the toy castle in the clip, we are told! 

The fact that Microsoft’s freely downloadable Security Essentials has recorded 1.5 million downloads in a week makes the absence of the software in the OS more perplexing. As the Security Essentials download is not yet available in all countries, Windows 7 seems lacking in a very “essential way” in terms of security.

Of course, Windows Defender including a firewall and anti-malware is very much part of the OS. But to me that makes the absence of an anti-virus solution more prominent.

Going on to much-maligned User Account Control from the Vista which has been revamped for Windows 7, there are murmurs about Microsoft having compromised security for usability. The Action Center security tool provides fresh settings for the User Account Controls through a slider that allows stringent and liberal options. Namely:

• Always notify me
• Notify me only when programs try to make changes to my computer (default)
• Notify me only when programs try to make changes to my computer (do not dim my desktop)
• Never notify me

(When Programs try to install software or make changes to my computer; I make changes to Windows Settings)

Earlier Vista users cursed the frequent prompts that appeared on the screen, each and every time a change was made to the system including common administrative tasks on Windows. Now, the above options allow the user to be notified only when non-Windows applications attempt changes or when changes are made to settings. Only problem being that even changes to UAC are included in changes to Windows Settings!

This was highlighted by a whitepaper by Sophos months earlier. The security solutions developer and vendor raised an alarm over the problems that the default settings could bring: ….  “Malware could bypass the system by injecting itself into a trusted application and running from there. Indeed, some malware has been observed spoofing UAC-style prompts to obtain user permission to operate unimpeded."

Bloggers too wrote extensively on this flaw. But to no avail it seems.

At the end of the day, it is common knowledge that very often users simply shut off the controls they wield by clicking on ‘okay’ for default settings. And by doing so, they only expose themselves to more risk. So much for user control!

Possibly Related Articles:
Operating Systems Viruses & Malware
Antispyware Antivirus Microsoft Windows 7
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.