When it comes to Windows’ User Account Control security feature, Microsoft just can’t catch a break. The version of UAC that debuted in Windows Vista is famously paranoid and pushy. And now there’s controversy brewing that the default settings of Windows 7′s less in-your-face UAC are too lax. Malware can turn off UAC without Windows 7 notifying the user; it can also take advantage of a security hole to give itself auto-elevate permission, thereby hiding its actions. Over at ZDNet, Mary Jo Foley has a good report on this.
I’m most concerned about the fact that Microsoft refused to let Mary Jo interview anyone on the subject–instead, the company provided her with a terse and not very satisfying prepared statement. There may be a rational argument for why Windows 7′s approach to UAC makes sense, but so far, Microsoft doesn’t even seem to be trying to make it…