Windows 7 UAC Fix Doesn't Address UAC's Fatal Flaw

Wow, that was a fast turn around from Microsoft, something we're definitely not used to. Microsoft quickly changed their position on the UAC notification default setting issue in Windows 7, due to the vulnerability River and Zheng found where malware could change the notification setting on a compromised computer without the user's knowledge. Rather than going back to the same setting Vista used, which would have created the Vista UAC nightmare all over again (resulting in users disabling UAC altogether), Windows 7 will require user prompting whenever this notification setting is changed. Microsoft is being less specific about a second change to Windows 7 that "prevents all the mechanics around SendKeys and like from working". The two changes effectively renders the problem River/Zheng found moot. But this solution doesn't solve the core user experience flaw with UAC, as I'll talk about in a moment. 

First, I applaud Microsoft on two fronts: listening to the community during the Windows 7 beta, and coming up with a resolution rather than just caving in. Microsoft's new accelerated release cycle could have resulted in user feedback being discarded for the sake of getting product to market. Certainly the fact that this was 1) a security issue and 2) dealt with the controversial UAC, meant that Microsoft faced reigniting the woes of UAC past. The bottom line is, Microsoft listened and took action relatively quickly, and Microsoft elected to come up with and implement a resolution in the Windows 7 RC that's much better than just going back to Vista's chatty default setting.

But ultimately this doesn't solve UAC's core design flaw. UAC's Achilles' heel is that it relies on the end user to "okay" any change flagged by UAC. Let me explain why this is a fundamental flaw.

UAC falls to the same flaws we saw in early personal firewall products. Remember the days when every personal firewall tossed up a dialog box at the drop of a hat? The result: users applied the Just-Say-Yes-Fatigue principle -- always click okay or approve to any popup dialog box, because 99% of users didn't have the time, knowledge or expertise to know the answer to cryptic (to them) questions like, "approve svchost.exe connection to the Internet?". After a while users will just automatically click "yes" so they can get on with using their computer.

UAC relies on the same approach - ask the user, and the result is the same... Just-Say-Yes-Fatigue. Prompted with enough UAC dialog boxes, users stop reading their contents and just click okay. Add to this the fact the it's very unlikely the average user would see any information in the dialog box that would tell them this is a potentially malicious situation versus a normal operation in Windows 7. The dialog box UAC presents looks virtually the same in both situations. Add to this the fact that users stop reading the contents of these notifications. Add to this the fact that UAC essentially is just asking the end user for a 2nd okay to an action they already performed (like downloading a program they want to install). All of these factors contribute to Just-Say-Yes-Fatigue.

Microsoft's own user experience findings back me up on this.

"If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer." Jon DeVaan, Microsoft's senior vice president for Windows architecture.

There's another principle that contributes to Just-Say-Yes-Fatigue. 99% of end users configure their computers for convenience, not security. Let me say it another way... When pressed, end user behavior is to opt for convenience, not better security. The reason anti-virus and personal firewalls are so prevalent on computers today is because they don't get in the way of the user's experience. If they did the average end user would always click the okay button or just disable the offending software altogether.

UAC's original design flaw in Vista wasn't only that it was too chatty and annoyed users, it's that UAC relies on the average end user to approve actions on their computer in the first place. Now you might say something like, "if end users don't know better, then they shouldn't be using a computer." Most computer users aren't like you and me. They don't get into, or more or less care about, the intricacies of Windows, operating system settings or what appears to them as esoteric security issues. They are consumers of what computers provide them: useful functions like email, web browsing, word processing, calendaring, photo sharing, business applications, etc.

For UAC to ultimately prove to be effective in providing better security, UAC has to travel the same path as the personal firewall did. UAC must itself be able determine when a system setting change or operation is being performed intentionally by the user versus by malicious malware software. Personal firewalls had to make the same change - to be able to detect which types of network traffic and behaviors were normal and which are potentially malicious. UAC must stop relying on the end user to approve actions on their computer because most users won't know or won't take the time to discern if this UAC request is good or that UAC request is bad.

Microsoft's solution to the UAC notification settings debate actually contributes further to the Just-Say-Yes-Fatigue. It's one more thing the user has to approve and how will they recognize this situation is any different or more severe than any other UAC dialog box. 

Until UAC stops relying on the average end user to give it a thumbs up or thumbs down, UAC's only won the battle and not the war for better security.

Like this? Here are some of Mitchell's recent posts.

Mitchell's Book Recommendations: Also visit Mitchell's other blogs and podcasts:

Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in