Has Windows Vista's UAC feature failed Microsoft?

Has Windows Vista's UAC feature failed Microsoft?

Summary: Experts agree that Microsoft's Windows Vista is relatively well-protected but its security features — such as User Account Control (UAC) — have been highlighted by security experts as one reason why the operating system is far less popular than its predecessor, Windows XP.


Experts agree that Microsoft's Windows Vista is relatively well-protected, but its security features — such as User Account Control (UAC) — have been highlighted by security experts as one reason why the operating system is far less popular than its predecessor, Windows XP.

According to Scott Charney, vice president of Microsoft's Trustworthy Computing Group, UAC was designed to give users more control over the applications they run and help them make better security decisions by providing them with more information.

However, the main problem with Vista's UAC, according to Charney, is that it prompts the user far too often.

"Clearly there has to be work done on UAC user prompts, where users get prompts at times they don't necessarily expect it — and it's not intuitive. The challenge is — as with many of these things when we try to give users control — if you give people too many prompts in too many situations, they view it as an impediment," Charney told ZDNet.com.au yesterday at the AusCERT security conference on the Gold Coast.

Mikko Hypponen, F-Secure's chief research officer, said although security features in Windows Vista are impressive, UAC remains a problem.

"There's not much we can criticise in Vista's security. Microsoft did a good job. UAC is not a bad idea by itself, but I don't see any way you could implement it in a way so it doesn't buck the user," said Hypponen.

In a recent survey, security vendor PC Tools discovered that out of 1,000 Vista-based PCs, 639 had been infected by malware in the previous six months. The company's managing director Simon Clausen blamed the high rate of infection on users that had switched off UAC because it was so annoying: "The majority of machines we see have UAC turned off if the user knows how to do it," he said.

The difficulty with UAC, according to F-Secure's Hypponen, is that Microsoft assumes the user should have administrator rights, an issue that Mac- and Linux-based systems dealt with a long time ago.

"Most Linux installations will say that you must create a user account. The big difference between a Mac and Vista is that, by default, on a Mac, you're not an administrator. On a Mac you only get prompted for root password when you're installing an application. Under Vista this happens a lot more because you have admin rights, so the UAC pops up often. Vista installation should end with [mandatory creation of] a user account with user access rights, not administrator rights," said Hypponen.

Microsoft's Charney said that UAC was Microsoft's first attempt to break away from its tradition of users being an administrator by default.

"Part of the reason UAC exists is we've been pushing people to the standard computing model. When you're an administrator on a machine, you have these all-powerful rights that also allow malware to do bad things. Increasingly we want people to be standard users.

"At the same time, there are times you need to be elevated to administrator to install programs. UAC was an attempt to say let's run a standard but when you need a higher level of privilege, rather than doing that silently, let's involve the user in that decision. Clearly we have to do more work in this area," Charney added.

Microsoft security architect Roger Grimes said that although features such UAC in Windows Vista are useful, some malware writers already know how to defeat them — and the rest will learn once UAC-type protections are ubiquitous.

"Least privilege permissions are a part of a good defence-in-depth strategy but it's not the endgame. If everybody is logged-in not as admin or not as root, it is really not going to stop the malware in the long run ... malware is not going to disappear," Grimes told AusCERT delegates.

Grimes added malware could infect a computer using various attack vectors but if the user is not an administrator, the attacks are generally less dangerous.

"Can a malware program steal your password if you are not an administrator? Can [criminals] create a program that waits for you to log into your bank, authenticate and then take all your money? The short answer is, yes, absolutely," he added.

According to IBRS security analyst James Turner, Microsoft's decision to sacrifice security for user friendliness has backfired on the company.

"This is a tough legacy which Microsoft has been dealing with since the days of MSDOS. DOS was almost like a stripped back version of Unix and Microsoft left some of the cool stuff — things like file permissions — behind. So they've been dealing with this fairly fundamental void in their core ever since. Microsoft has always been the easy, user-friendly operating system and now this same ease of use has become a liability," said Turner.

ZDNet.com.au's Munir Kotadia contributed to this report.

Topics: Security, Microsoft, AUSCERT, Windows

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • UAC is no different to sudo on Ubuntu or Mac OS X's prompt

    They're *exactly the same*. Yes, you get more prompts with UAC, but that's something that Microsoft can work on. But it is fundamentally the same thing as the "admin prompt" on Mac OSX, or the "sudo" program on Ubuntu (in fact, by default, the first user created in Ubuntu is a "sudoer" -- exactly the same as on Vista).

    And as for that "639 out of 1,000" Vista machine having malware on there, I made a comment on that other article already, that everyone seemed to ignore... I'll ask again, though, just because I like talking to brick walls. If 1,021 out of every 1,000 Windows XP machine is infected with malware, how can that possibly be anything but "1 machine with two infections is counted twice" -- and if that's the case, how can you credibly say that "639 out of 1,000 Vista machines have been infected with malware"?
  • UAC needs fixing

    90% of those pop up UAC are telling the average computer user nothing. They don't understand what the warning is about. They don't know all that technical stuff. No wonder people turn it off, it doesn't mean anything to them.
  • You are wrong

    You are wrong. I use Vista and Mac OS X all the time.

    The Mac is very different. You approve the application once with your password. If anything changes, OS X tells you and allows you to see the source web site that supplied the code. You can then decided to re-approve or deny access.

    Approved applications then run without any further prompting.

    Contrast with UAC that constantly asks you each time you launch applications, including control panel options. It is infuriating.

    The Mac way has never infuriated me.
  • Windows Volvo

    They should of called it Windows Volvo. Superbly engineeered operating system to protect the stupidity of its users.

    I can tell you one thing. The only Vista machines brought back into my shop for viral and spyware infections are the ones with UAC turned off or the ones owned by professional OK button pressers.
  • what the....???

    Superbly engineered operating system?? Fella you shouldnt have anything to do with computers.
  • Unique Threats per 1000 machines

    The numbers are (as pointed out by Dean) not for the number of PCs per 1000 infected but the unique threats per 1000 PC over 6 months. If one in a thousand PCs was threatened 639 times in 6 months then the number would be the same. These "statistics" do not say what the report says they say. The report is very misleading. See for yourself at http://www.pctools.com/news/view/id/206.
  • Statistics???

    You know what they say about statistics!!