The Inquirer-Home

Windows 7 less secure than Vista

Probably why it works better
Thu Feb 05 2009, 12:43

ONE OF THE SELLING POINTS OF WINDOWS 7 is that it is not Vista. It is also not a giant purple three-toed sloth either, which is another thing you expect from an operating system.

However, one of the things that makes it 'not Vista' is that it does not have so many user notifications such as, "you have just typed the letter A... are you sure you wish to proceed?".

But to do this Vole has tinkered with the User Account Control (UAC) feature and created two severe exploits which are set as the default, at least on Beta version.

The first allows malware to kill the UAC and allow the hacker free to do what they like on your computer. The second allows other malware to auto elevate without telling the user.

The 'features' were found by Long Zheng and Rafael Rivera. They have chatted to Vole about the holes and so far Microsoft has said that the Windows 7 Beta is designed to work that way.

Speaking to ZDNET, Vole insisted that the intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings.


In other words users moaned about getting asked about changes all the time in Vista so Vole took them out.

It seems that some of the changes that make Windows 7 look so attractive have been made by removing some of the security features that we hated in Vista. The problem for Vole is that some people liked those features in Vista and are obsessed with security.

Microsoft is in a tricky position of saying 'we value security' while at the same time knowing that too much security is going to tigger most users up completely.

The question then becomes how dangerous are these reductions in security. According to ZDNET it is a doddle to pull off the sort of exploit that the flaw permits.

Its security experts think that Vole should tighten up its default settings unless it wants Windows 7 to go out of Redmond with a reputation of being insecure.

However, impose too much pointless security and you end up like the US customs and immigration at Los Angeles airport, which is one of the worst in the known world. µ



Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?