Microsoft blames users for malware on Vista PCs

Around 70 percent of Windows Vista on home systems are infected with malware, according to PC Tools, which blames Vista's UAC security feature for the high count — but Microsoft says it's user complacency that caused such a high rate of infection.

Research conducted by security company PC Tools over the past six months looked at malware infections on 1.4 million PCs installed with its ThreatFire software, which detects suspicious behaviour on PCs. Malware samples were tested against several antivirus engines, PC Tools said.

Out of every 1,000 Vista machines, 639 were infected by malware at some stage in the past six months, compared with 586 infections for PCs running Windows 2000. However, Microsoft's Windows XP was by far the worst performer with an infection rate of 1,021.

"I would have expected that [infections] would be around two out of 10 Vista machines, but it is six to seven out of every 10 machines," PC Tools managing director, Simon Clausen told ZDNet.com.au.

Clausen blames the high rate of infection on Vista PCs because users have switched off Microsoft's User Account Control (UAC) function.

"The majority of machines we see have UAC turned off if the user knows how to do it," he said.

UAC was designed by Microsoft to address the problem of applications having administrator privileges. With UAC, the user is prompted for a password before any software can be installed on the system.

Microsoft admits that UAC was designed to "be annoying", according to David Cross, who was the group program manager in charge of the feature.

"The reason we put UAC into the [Vista] platform was to annoy users — I'm serious," said Cross, speaking at the RSA Conference in San Francisco earlier this year. "Most users had administrator privileges on previous Windows systems and most applications needed administrator privileges to install or run."

Security companies, such as Kaspersky, agree that UAC is annoying and believe Microsoft went too far because users are simply disabling it.

PC Tools' Clausen said: "UAC fails for two reasons: it prompts users far too often, so users are constantly clicking 'OK', or people get sick of it and turn it off."

Microsoft, however, says the so-called annoying UAC prompts will die down after a few days.

"Keep in mind that the primary goal of the User Account Control security feature is to make Windows work well for non-administrator users. Also, please note that users will experience the most prompts in the first few days of using Windows Vista as a normal part of the initial set-up and configuration of their machines," a Microsoft spokesperson recently told ZDNet.com.au.

Technet blogger and Microsoft evangelist Michael Kleef has also blamed users for executing malicious code on their machines. He said the number of infections found by PC Tools was an indication of poor user behaviour.

"The number of virus infections found by a virus vendor does not necessarily equal poor security," wrote Kleef in a blog post. "In many cases it equals poor user behaviour. If I, despite all prompting and consent behaviour, choose to go to a (probably dodgy) Web site, accept the ActiveX control prompts to download (probably dodgy) code and I actually choose to execute that code then I'm hosed."

Kleef claimed the number of infections was not purely the operating system's fault, but said that "in some cases it's the user and their lack of knowledge and their implicit 'it-won't-happen-to-me' complacency" that causes them to get infected.