Next week Microsoft is releasing three critical patches for remote code execution vulnerabilities in (the not quite yet released) Windows 7. Windows 7 offers some tremendous improvements over previous versions of Windows. Users should be aware though that in order to reduce User Account Control prompting, Microsoft changed the default configuration of user accounts such that remote code execution vulnerabilities can in fact take control of the computer. In other words malware can gain control of a computer without the user’s knowledge. It’s only a matter of time before malware is directly targeted at this gap, which will likely come once Windows 7 is more prevalent.
According to a Senior VP at Microsoft, “UAC is not a security boundary.” Although this is clearly a change from how it was positioned for Vista, I would agree at this point. Referring to Windows 7 he stated, “There has been no report of a way for malware to make it onto a PC without consent.” Given the history of remote code execution vulnerabilities in previous versions of Windows (and other operating systems), this was a surprising statement. With these three patches it is also no longer accurate.