Microsoft insisted Monday that what outsiders have called a "security flaw" in Windows 7 is not a bug, but the way the new operating system is meant to work.

Last week, Rafael Rivera , a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes "I Started Something," argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.

UAC, which debuted in Windows Vista , is a security feature that prompts users for their consent before tasks such as program and device driver installation are allowed. The feature has been roundly criticized since Vista's launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC's problems last year when it named it one of the five factors that contributed to Vista's slow adoption pace.

In Windows 7, UAC has been modified to pop up alerts less often. It also, said Rivera and Long, has been changed so that by default the feature is set to "Don't notify me when I make changes to Windows settings."

"Windows 7 now ships with UAC configured to hide prompts when users change Windows settings," noted Rivera in a post to his blog on Friday. "While this mode still ensures normal applications can't overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.

"Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart," Rivera continued.

The danger, Rivera and Long said, is that attackers can easily disable UAC -- one of Microsoft's most heavily-promoted security features in the last two years -- without involving the user, and -- since by default Windows 7 doesn't warn when such changes are made -- without the user's knowledge.

The pair created a proof-of-concept script that disables UAC, and posted it online.

"We soon realized the implications are even worse than originally thought," said Long. "You could automate a restart after UAC has been changed, add a program to the user's Startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

Microsoft disagreed with Rivera's and Long's conclusion.

"This is not a vulnerability," said a Microsoft spokesman in an e-mail. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This [includes] changing the UAC prompting level."

The spokesman went on to say that the changes to UAC in Windows 7 were based on feedback Microsoft received from users, and noted that a script such as the one Rivera and Long created could only gain entry to a PC if the user downloaded and ran it, or if it was introduced as part of a broader attack. "In order for malicious code to have gotten on to the box," the spokesman continued, "something else [must have] already been breached, or the user has explicitly consented," the spokesman said.

Andrew Storms , director of security operations at nCircle Network Security Inc., took Microsoft's side in the discussion. "I would agree [that] it is functioning as designed," said Storms via instant messaging. "The word 'vulnerability' is probably misplaced in this case. [And] the point is that it had to have gotten on there and run by something...a user clicking, some third-party software, etc."

The Microsoft spokesman declined to answer a question about whether the company would alter UAC behavior in Windows 7 as it moves from beta to the next milestone, a release candidate. Long, however, noted that on the official feedback forum for Windows 7 beta testers, Microsoft has hinted that it will not change the UAC default settings.

In a follow-up entry posted Saturday , Long remained mystified by Microsoft's reluctance to address the issue. "What I do not understand is how they are treating the seriousness of this problem," he said. "Microsoft's argument is entirely based on the user, which I agree to an extent -- they have to download and execute such an application, but remember, this can be a low-privileged application so it would have no warnings whatsoever.

"How could a low-privileged application be[ing] able to turn off the entire privileged-applications security-layer not be a security flaw?" he asked.

Users can protect themselves by simply resetting UAC settings to the "Always notify" option. "Annoying, but safe," said Long.

To change UAC's settings in Windows 7, locate the control panel -- typing "UAC" in the Start menu's search field is the fastest way to bring it up -- then drag the slider up to the "Always notify" mark. Click OK.

Microsoft launched a public beta of Windows 7 three weeks ago, and recently extended the download deadline to Feb. 10.

I know this isn’t really related to Microsoft in any way but the public beta for Call of duty World At War has just come out and I am a huge fan. You can download yourself a free copy of the game if you go to http://www.callofduty.com/ and register to get a serial number and a download link.

If you are running a Vista machine you will most likely run into some difficulties when running the game for the first time after installation. These errors are:

-Message box displaying missing d3dx9_37.dll (or something along those lines)
-Message Box displaying: “Error during initialization: Unhandled exception caught”

To remedy these problems do the following:

The Missing DLL file (d3dx9_36.dll) is attributed to an outdated version of Microsoft DirectX. Simply point your browser to here (http://www.microsoft.com/downloads/details.aspx?FamilyId=2DA43D38-DB71-4C1B-BC6A-9B6652CD92A3&displaylang=en) to download the Microsoft DirectX 9/10 web download application. This will determine the version of DirectX installed on your system and apply the latest SDK updates accordingly.

After this install is complete the error should no longer appear and the game should run fine.

 

The second error: “Error during initialization: Unhandled exception caught” is a stupid error attributed to the Way the game uses the Windows Vista playback Device.

To remedy this problem click:
Start>Control Panel>Sound

Right Click on the default playback device (e.g. Speakers) and click properties. From there select the Advanced tab.
To eliminate this error the default playback format must be set at 24 bit 48000Hz (Studio Quality). Simply select this from the dropdown list and apply the settings.

Try launching the game now-Everything should run fine.

 Any Questions or comments-don’t hesitate to post them below.

-Patrick (>DDC<Ping)

Yesterday (and possibly the day before) a lot of commotion was caused when people started getting “Trial Period” notices appearing when using Windows Live Mobile Messenger.
The message read the following (image):

“Hello! Starting today, your 30 day trial period beings. By selecting OK you acknowledge that your use of Windows Live services continues to be subject to the Terms of Use and Privacy Statement. Data charges from your mobile operator, including roaming fees may apply for using the Windows Live services. At the conclusion of this trial, you will be given the option to purchase a 30 day pass.”:

Here is what actually happened: Microsoft rolled out a direct-to-consumer billing service for the Windows Live client on Nokia S60’s in the UK and Sweden. The only problem was that not just Nokia S60 users got the message but everyone using the Live Service.

As you may know, we offer Messenger services through mobile operators on lots of handsets, not just Windows Mobile. Traditionally, customers have been billed by their mobile operators for many of these services, either directly or through their data package.- Matt Champagne, director of Windows Live mobile services.

Microsoft are considering adding the “direct-to-consumer billing service” to everyone in the future the finial decision has not been made yet.

So…If you were on a Windows Mobile device and not a Nokia S60 and received the message by accident-ignore it!

1&1, popular website hosting service and domain name registrar, have a very serious problem with their nameserver configuration web interface.

We’re hosting our own domains with 1and1 (pointing to our dedicated servers hosted with the excellent and much-recommended Lunarpages), and were attempting to reconfigure our nameservers to point to a different IP address. We went into the 1&1 admin interface and attempted to re-configure the neosmart.net nameservers to point to the new IP - a week later, the DNS hadn’t yet propogated and we couldn’t find a good explanation.

This was how we had originally set up our nameserver entries in the 1and1 web administration center:

For all the Windows-bound PHP users out there, consider yourselves warned: even if you’re running the (supposedly) thread-safe PHP Win32 binary redistribution, you’re still susceptible to PHP Access Violation Errors, race problems, heap corruption, and much worse if you use the popular eAccelerator opcode-caching extension.

We did our testing with the binaries compiled by SiteBuddy using the latest versions of both PHP and eAccelerator. Almost immediately after initiating a stress test on our test servers we experienced the dreaded “PHP Access Violation” error - which brings down the entire IIS Worker Process to its heels.