Wow, that was a fast turn around from Microsoft, something we're definitely not used to. Microsoft quickly changed their position on the UAC notification default setting issue in Windows 7, due to the vulnerability River and Zheng found where malware could change the notification setting on a compromised computer without the user's knowledge. Rather than going back to the same setting Vista used, which would have created the Vista UAC nightmare all over again (resulting in users disabling UAC altogether), Windows 7 will require user prompting whenever this notification setting is changed. Microsoft is being less specific about a second change to Windows 7 that "prevents all the mechanics around SendKeys and like from working". The two changes effectively renders the problem River/Zheng found moot. But this solution doesn't solve the core user experience flaw with UAC, as I'll talk about in a moment.
First, I applaud Microsoft on two fronts: listening to the community during the Windows 7 beta, and coming up with a resolution rather than just caving in. Microsoft's new accelerated release cycle could have resulted in user feedback being discarded for the sake of getting product to market. Certainly the fact that this was 1) a security issue and 2) dealt with the controversial UAC, meant that Microsoft faced reigniting the woes of UAC past. The bottom line is, Microsoft listened and took action relatively quickly, and Microsoft elected to come up with and implement a resolution in the Windows 7 RC that's much better than just going back to Vista's chatty default setting.
But ultimately this doesn't solve UAC's core design flaw. UAC's Achilles' heel is that it relies on the end user to "okay" any change flagged by UAC. Let me explain why this is a fundamental flaw.
UAC falls to the same flaws we saw in early personal firewall products. Remember the days when every personal firewall tossed up a dialog box at the drop of a hat? The result: users applied the Just-Say-Yes-Fatigue principle -- always click okay or approve to any popup dialog box, because 99% of users didn't have the time, knowledge or expertise to know the answer to cryptic (to them) questions like, "approve svchost.exe connection to the Internet?". After a while users will just automatically click "yes" so they can get on with using their computer.
UAC relies on the same approach - ask the user, and the result is the same... Just-Say-Yes-Fatigue. Prompted with enough UAC dialog boxes, users stop reading their contents and just click okay. Add to this the fact the it's very unlikely the average user would see any information in the dialog box that would tell them this is a potentially malicious situation versus a normal operation in Windows 7. The dialog box UAC presents looks virtually the same in both situations. Add to this the fact that users stop reading the contents of these notifications. Add to this the fact that UAC essentially is just asking the end user for a 2nd okay to an action they already performed (like downloading a program they want to install). All of these factors contribute to Just-Say-Yes-Fatigue.
Microsoft's own user experience findings back me up on this.
"If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer." Jon DeVaan, Microsoft's senior vice president for Windows architecture.
There's another principle that contributes to Just-Say-Yes-Fatigue. 99% of end users configure their computers for convenience, not security. Let me say it another way... When pressed, end user behavior is to opt for convenience, not better security. The reason anti-virus and personal firewalls are so prevalent on computers today is because they don't get in the way of the user's experience. If they did the average end user would always click the okay button or just disable the offending software altogether.
UAC's original design flaw in Vista wasn't only that it was too chatty and annoyed users, it's that UAC relies on the average end user to approve actions on their computer in the first place. Now you might say something like, "if end users don't know better, then they shouldn't be using a computer." Most computer users aren't like you and me. They don't get into, or more or less care about, the intricacies of Windows, operating system settings or what appears to them as esoteric security issues. They are consumers of what computers provide them: useful functions like email, web browsing, word processing, calendaring, photo sharing, business applications, etc.
For UAC to ultimately prove to be effective in providing better security, UAC has to travel the same path as the personal firewall did. UAC must itself be able determine when a system setting change or operation is being performed intentionally by the user versus by malicious malware software. Personal firewalls had to make the same change - to be able to detect which types of network traffic and behaviors were normal and which are potentially malicious. UAC must stop relying on the end user to approve actions on their computer because most users won't know or won't take the time to discern if this UAC request is good or that UAC request is bad.
Microsoft's solution to the UAC notification settings debate actually contributes further to the Just-Say-Yes-Fatigue. It's one more thing the user has to approve and how will they recognize this situation is any different or more severe than any other UAC dialog box.
Until UAC stops relying on the average end user to give it a thumbs up or thumbs down, UAC's only won the battle and not the war for better security.
Like this? Here are some of Mitchell's recent posts.
- Windows Live Essentials Confusion Could Dampen Windows 7 Adoption
- OCS 2007 R2 - Time To eBay The PBX
- Google Android Netbooks - Real Threat or Just Crying Wolf?
- Windows 7 - What You See Is What We'll Get
- Windows 7 - Will It Turn The Tide To 64-bit?
- Windows 7 Will Not Sway XP Users
- 3 Reasons IE 8 Won’t Close The Door On Firefox or Chrome
Mitchell's Book Recommendations:
Also visit Mitchell's other blogs and podcasts:
Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
The Leader in Network Knowledge
If I install some soft, I
If I install some soft, I click YES without reading. I know it needs 'windows sudo' to do the stuff. In other situation - I run vague app, now I can - if it show UAC prompt - it's evil, it shouldn't do that, I will have a chance to stop it. In linux you have the same - if it is YOUR desktop linux, you will use sudo a lot. What you suggest for MS to do is difficult. You cannot predict all harmless actions, software and activities. And you'll probably agree, that malware will pretend those harmless, excluded from prompting software to do its evil. Therefore I think there's no way to stop malware in any OS without basic know-how on user's side. I don't use any AV software for many years and I've never experienced a virus or trojan. I don't know, we should educate people the simple thing - never to run any executable if they aren't absolutely sure what is it. Never open any mail attachement, if it isn't exactly the file they asked for. In most cases it should work as it works for me. No AVs, no malware.
Fixed UAC gives just one luxury of running suspicious files by people who know what they do. Recently I run a trojan on my Windows 7 beta. The poor thing died before even started to try harm my system. I would never run this scum on XP. It would be hours of fixig stuff after.
Most people miss the Real Point of UAC...
The point of UAC being, as Microsoft is getting tired of telling us: "Make everyone run as a normal user". The point is not to act as a firewall. The point is to require elevation every time it is needed, so that the normal security context is one of non-privilege.
The security boundary is that you are normally running everything as an unprivileged user, and the system is raising the privilege level each time an action requiring extra privileges needs to run.
UAC has a control mechanism that can be turned off completely. The adjustability of it is the way you mitigate the Spouse Mode automatic "yes, Dear..." clicking of every dialog box that you're complaining about. And, BTW, they ADDED one extra level of adjustablity to Windows 7.
Keep in mind that other OSes require similar steps; versions of Linux actually prompt for your password (Talk about a bad idea? All one needs to do is spoof the password prompt, in the USERS context mind you, and happily collect the keys to the kingdom!)
Post new comment