Scott Charney, head of Microsoft's Trustworthy Computing division, admitted this week that Windows Vista's User Account Control (UAC) prompts are not intuitive and confuse users.
In a video interview with ZDNet.com.au at the AusCERT 2008 conference this week, Charney said Microsoft needs to make improvements around UAC.
"Clearly there is work that has to be done around the UAC prompts — in part because of user feedback that they get the prompts at times they don't necessarily expect them and it is not intuitive.
"If you give people too many prompts in too many situations, they view it as an impediment to getting their work done and they just start clicking ok on everything," said Charney.
He said that the language used in prompts is also confusing.
"We give them dialogues and prompts that don't help them make the right decision as often as we would like. You can be surfing the Web and get a warning that this site is out of another site's control, or you may be passing data to another site. What is a user supposed to do with that information?
"You can click cancel and not do what you were trying to do, or you can accept the risk — we need to figure out better ways to mitigate that risk but let the user achieve their objective," he added.
Charney's comments echo those of Ivan Krstić, the former director of security architecture for the One Laptop Per Child project, who opened last year's AusCERT conference by claiming that desktop security was completely broken.
In an interview with ZDNet.com.au at last year's conference, Krstić said: "If you go to a Web site whose security certificate is for any reason not checking out, you get a dialogue box that you [require] strong Internet security [skills] to decipher," he said. "For anyone else, they get to do a random guess between yes, no and cancel. That's no way to protect anyone," he added.
Krstić said software vendors were "weaselling off responsibility for security to users" in order to "legally protect themselves".