Want CNET to notify you of price drops and the latest stories?

Windows 7 less annoying, but also less secure?

A prominent blogger notes that efforts to turn down the dial on security alerts could leave Windows 7 more vulnerable than Vista to attack.

Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
Ina Fried

Microsoft's efforts to make Windows 7 less annoying than Vista may also be making it less secure than its predecessor.

With Windows Vista, the operating system popped up a warning any time a major change was being made to the system, whether by the OS or by a third-party application. With Windows 7, users can choose how often to be notified, with the current default set to notify only when a third-party application is making a change.

Blogger Long Zheng, however, is drawing attention to an apparent shortcoming in that approach. Because changes to the user account control setting itself are being made within the OS--and not by a third party--malicious code could turn off such alerts entirely with the user getting little notice that such a change had been made. Zheng said he and fellow blogger Rafael Rivera have come up with a simple proof-of-concept code to show the vulnerability.

Microsoft is trying to thread a difficult needle here. The prompts issued by the User Account Control program, though annoying, help alert users to changes to their system. But if the prompts are so annoying that people turn off the setting--or stick with older operating systems--than things aren't secure either.

Zheng proposes, at a minimum, that Microsoft's default setting also warn users if a change is being made to UAC itself. That seems reasonable to me.

A Microsoft representative was not immediately available for comment.