The Rough Edges

The first thing that bothers us is a technical matter, and that is the addition of various levels of UAC , and the security ramifications of that. We’ve talked about this before in our look at the release candidate, but it bears repeating.

With the changes made to Windows 7, at the default UAC level of 2, signed Microsoft executables are auto-elevated to admin privileges when run by an admin. This primarily manifests itself in the Control Panel, where most of the panels are allowed to auto-elevate so that users may make changes without facing a UAC prompt.

There’s certainly a benefit to this in terms of user interaction, since the Control Panel and installing software are the two most common admin-level tasks a user will do. The latter is a repeating occurrence, but the former is something that usually only happens once when the computer is set up. So by making this change, the new-user experience involves less UAC.


The UAC Control Panel With Level Slider

It’s the security ramifications of this that concern us. Someone already managed to exploit this in the pre-RC phase (where the UAC control panel itself was auto-elevating) to disable UAC entirely. The concern we have is that all of these auto-elevating programs are an obvious target for a local privilege escalation attack to accomplish something similar, if not the same. Imagine finding a way to make the Display control panel execute a 3rd party application with admin privileges, for example.

Now to be clear, it’s not as if this is the only way to achieve local privilege escalation attacks. The Windows kernel itself is a target, and I can’t think of any major desktop OSes that haven’t seen such an attack in the past. But this makes that easier, potentially much easier. And that’s a risky proposition when a UAC prompt may be all that’s left between malware executing and running amok or not.

Certainly someone is going to bite my head off for this, but I don’t think Microsoft should have made such a fundamental change to UAC. More casual users may not have been fond of how Vista or UAC Level 3 handle security, but it was a more secure choice than Level 2. To that end, I certainly wouldn’t recommend running Win7 at the default UAC level for any computer connected to the internet.

On a lighter note, even after using the release version of Win7 for 2 months now, I’m still wondering who thought it was a good idea to make the title bar of maximized windows semi-transparent. Certainly for windowed windows it makes some sense, as you can see what’s underneath. But for maximized windows? If I was concerned for what was under the window, why would I have it maximized?

Finally there’s Windows Mail, or rather the lack of it. Obviously email clients have come under diminished importance in the last few years as web-based email (e.g. Gmail) continues to rise in popularity, but this doesn’t mean that an email client is not necessary.  And I get that Microsoft wants to separate the email client from the operating system so that they can push out major client updates outside of major OS releases.


  Windows Mail: Have you seen me?

But what I don’t get is why there’s any reason good enough for Windows to not come with an email client at all. It’s 2009, why is there an operating system being released without an email client? I only hope that OEMs are adding email clients to their prebuilt computers, otherwise there may be some very confused Windows 7 users as people start snapping up new machines.

The Only 3 Editions You’ll Care About Test Setup
Comments Locked

207 Comments

View All Comments

  • Voo - Friday, October 30, 2009 - link

    That's strange.. I just tested it and it neither updates progress in my VM, nor does it show anything if I'm looking a video in FF.

    Maybe the windows internals like file copying or similar things, but definitly not everything

    Win7 Professional x64.
  • rs1 - Friday, October 30, 2009 - link

    Here's a quick screencast that shows the window preview updating in realtime, for both Firefox+Youtube, and the Windows Task Manager:

    http://goview.com/?id=3c96284e-ba48-475e-a314-d8ef...">http://goview.com/?id=3c96284e-ba48-475e-a314-d8ef...

    ...the only time I can get the preview to *not* update in real-time is when I have explicitly minimized the window I want to preview. I practically never do that in Win 7, because the improved taskbar makes it really unnecessary (which is probably why I never noticed the cases where the preview would not be updated).
  • Voo - Saturday, October 31, 2009 - link

    Ah that's it - I virtually always minimize my windows, so I never noticed the different behaviour.

    Yep if you don't minimize the window explictly you get the realtime preview, didn't know that.
  • coachingjoy - Wednesday, October 28, 2009 - link

    While obviously a corraborative effort this article is well balanced and a good read.
    The authors are windows users but are not fanboy-ish in their observations.

    Well done.
  • vistakah - Wednesday, October 28, 2009 - link

    Every time windows releases a new version the naysayers go " I WILL NEVER UPGRADE!" Their loss i suppose. Window XP was a great OS. Was it as good as Vista? Not at all as long as you had the hardware to support the OS. No dated systems would not run it and that was its downfall. I built a system for Vista and i had no issues at all with it at release. Windows 7 is much improved with some cool new things. Sorry i like the coolness factor in computing. The only difference between installing Windows 7 and Vista other then 7 was much faster was that every piece of hardware had W7 drivers already.

    Everything on my computer worked at first boot to include my wireless hotspot. Mac can still waste their money on TV commercials. We live in a PC world that will and Mac like Linux will just be small time which is ok as an option. MS did a great job this time as far as i can tell.
  • yyrkoon - Wednesday, October 28, 2009 - link

    Compared to XP, Vista was an abortion. Vista may have had an updated Architecture, and things like UAC ( I actually like UAC; it really is not all that intrusive ). But everything that was supposed to make Vista better was not working, or was not functioning correctly. Just as one example, the new TCP/IP stack was supposed to increase Gigabit networking performance. Instead, it made it worse.

    Then, you have processes like the trusted computing process that can not even be disabled without all but disabling the operating system. The OS will run, but you can not doing anything with it other than look at it. Microsoft, and its partners have no right to tell us what we can run, and when. No matter if it is illegal, or not. That is a mater for our individual governments . . . to govern. And yes, I have found at least one legitimate reason to have this process disabled.

    However, on the other hand it is not all that terrible. At least not as terrible as all the BS spread all over the net. Likenesses made to Windows ME are purely absurd. It is functional, and it is stable, and hell, it technically is more secure out of the box. That is for users who have no clue.

    I personally only use Vista because a laptop I bought came with it. Eventually I will retrograde to Windows XP *only* because of the gaming performance difference. You know what though ? I Beta Testes Vista since the beginning, I know Windows XP ( Pro ) very well, and I *know* what I want. Does this make Windows XP less secure ? Not for me, but *your* millage may vary.

    Pay attention to what you're doing folks . . .
  • yyrkoon - Wednesday, October 28, 2009 - link

    Windows7 AND Vista *BOTH* outperforming Windows XP in Directx 9 titles . . .? Something tells me someone, or something is not right. I had done all my own testing from Vista Beta, to RC, and it was *ALWAYS* slower in Directx 9 games compared to XP. Even if only by a frame or two a second. A lot were 7-10 FPS slower. Right now, I am playing a 5 year old + game in Vista that constantly stutters . . . Something that ran fine on current hardware 5 years ago.

    It would not surprise me if Video card manufactures are doing something to their hardware, and / or drivers. It is not like this sort of thing has not happened in the past. Maybe, it is just a matter of implementing new technology, that just happens to work with the newer OSes. But I doubt it.

    The network performance increases are something that were *supposed* to come with Vista, and honestly annoys me more than impress. Only because I had to wait for the next iteration of Windows to see this improvement come to pass(and it really is not that huge of a difference really). Throughput figures would have been nice, instead of a timed test. The new TCP/IP stack is supposed to be there, as well as a load of other architectural improvements . . . but nothing improved between XP and Vista ( actually got worse ).

    Now I have to say that security has never been an issue for me in Widnows XP. Then again, I am not some idiot, clicking yes on every dialog that pops up in my browser, or doing other equally stupid things. Any system is only as secure as the user using it. Period. Arbitrary code can be run on *ANY* system were the user is ignorant. There are many Linux boxen that have been rooted, and Linux has a much more robust kernel architecture. The difference here however is that these machines were mostly highly visible as servers. My point here is; Do not blame the OS, blame the user / administrator. Vista, or Windows 7 may be more advanced compared to XP, but they pale compared to Linux/Unix.

    Lastly, I would like to dispel the belief that computers automatically get infected just by connecting to the internet . . . Downloading illegal ( and virus ridden ) software, visiting porn sites, and opening emails from people you do not know ( or even those you do know ) I would have to put high on the list of ways to become compromised. Joe hacker ( Joe script kiddie ? )may be looking for a way to compromise any number of highly visible servers for numerous reasons, but he has no idea who Joe blow even is. Let alone what Joe Blow's IP is. Even if he did, he would have to find a way to connect, which is virtually impossible on a hardened system. So sure, perhaps Windows compared to Linux, or any other Unix like operating system ( this includes OSX ) is architecturally inferior in this respect; It still can, and does happen to any operating system. But not *_just_because_* you've connected to the internet.
  • Torment - Wednesday, October 28, 2009 - link


    "Lastly, I would like to dispel the belief that computers automatically get infected just by connecting to the internet"

    Hahahahaha...Sasser? Blaster? Are you really that clueless?

    Beyond the network security holes those exposed, browsers need to be sandboxed. Period. It would solve 99% of the virus/trojan/malware problems home users experience.
  • yyrkoon - Wednesday, October 28, 2009 - link

    Are *you* really that clueless ? Seriously.

    *IF* you let your system respond to IDENT, then *maybe*. However, this is *not* just because you connected to the internet. This is because you connected to the internet, Joe Hacker was looking to exploit you(and others), and because "you" did not harden your system. Browsers have nothing to do with this matter per se. What does have to do with this is getting an executable on a machine in hopes of exploiting it. Using Internet Explorer was just a means to accomplish that end.

    Now do you care to know how Sasser was caught ? Those of us who *know* which processes are running all the time, and that 99% CPU utilization is far from expectable most of the time. e.g. those of us who know what processes we run, and how much CPU we *should* be using at any given time / situation.

    Still, this really is not that much different from exploiting Apache on a Linux server. Only difference is delivery ... only. Now *if* Apache were sand boxed . . .

    By the way, many of *us* were never affected by Sasser. That is, those of *us* who pay attention.
  • Torment - Thursday, October 29, 2009 - link

    And what were XP's settings out of the box? And how many people were infected by just those two? Dumbass.

    My point about sandboxing IE was apart from the previous point. In my experience, it is the primary vector for infection. And there have been exploits that allowed infection when visiting "safe" sites that had been compromised by yet another security flaw. If browsers were sandboxed, 99% of problems would be solved. Microsoft is slowly moving in that direction.

Log in

Don't have an account? Sign up now