Has Windows Vista's UAC feature failed Microsoft?

Experts agree that Microsoft's Windows Vista is relatively well-protected but its security features — such as User Account Control (UAC) — have been highlighted by security experts as one reason why the operating system is far less popular than its predecessor, Windows XP.
Written by Liam Tung, Contributing Writer

Experts agree that Microsoft's Windows Vista is relatively well-protected, but its security features — such as User Account Control (UAC) — have been highlighted by security experts as one reason why the operating system is far less popular than its predecessor, Windows XP.


According to Scott Charney, vice president of Microsoft's Trustworthy Computing Group, UAC was designed to give users more control over the applications they run and help them make better security decisions by providing them with more information.

However, the main problem with Vista's UAC, according to Charney, is that it prompts the user far too often.

"Clearly there has to be work done on UAC user prompts, where users get prompts at times they don't necessarily expect it — and it's not intuitive. The challenge is — as with many of these things when we try to give users control — if you give people too many prompts in too many situations, they view it as an impediment," Charney told ZDNet.com.au yesterday at the AusCERT security conference on the Gold Coast.

Mikko Hypponen, F-Secure's chief research officer, said although security features in Windows Vista are impressive, UAC remains a problem.

"There's not much we can criticise in Vista's security. Microsoft did a good job. UAC is not a bad idea by itself, but I don't see any way you could implement it in a way so it doesn't buck the user," said Hypponen.

In a recent survey, security vendor PC Tools discovered that out of 1,000 Vista-based PCs, 639 had been infected by malware in the previous six months. The company's managing director Simon Clausen blamed the high rate of infection on users that had switched off UAC because it was so annoying: "The majority of machines we see have UAC turned off if the user knows how to do it," he said.

The difficulty with UAC, according to F-Secure's Hypponen, is that Microsoft assumes the user should have administrator rights, an issue that Mac- and Linux-based systems dealt with a long time ago.

"Most Linux installations will say that you must create a user account. The big difference between a Mac and Vista is that, by default, on a Mac, you're not an administrator. On a Mac you only get prompted for root password when you're installing an application. Under Vista this happens a lot more because you have admin rights, so the UAC pops up often. Vista installation should end with [mandatory creation of] a user account with user access rights, not administrator rights," said Hypponen.

Microsoft's Charney said that UAC was Microsoft's first attempt to break away from its tradition of users being an administrator by default.

"Part of the reason UAC exists is we've been pushing people to the standard computing model. When you're an administrator on a machine, you have these all-powerful rights that also allow malware to do bad things. Increasingly we want people to be standard users.

"At the same time, there are times you need to be elevated to administrator to install programs. UAC was an attempt to say let's run a standard but when you need a higher level of privilege, rather than doing that silently, let's involve the user in that decision. Clearly we have to do more work in this area," Charney added.

Microsoft security architect Roger Grimes said that although features such UAC in Windows Vista are useful, some malware writers already know how to defeat them — and the rest will learn once UAC-type protections are ubiquitous.

"Least privilege permissions are a part of a good defence-in-depth strategy but it's not the endgame. If everybody is logged-in not as admin or not as root, it is really not going to stop the malware in the long run ... malware is not going to disappear," Grimes told AusCERT delegates.

Grimes added malware could infect a computer using various attack vectors but if the user is not an administrator, the attacks are generally less dangerous.

"Can a malware program steal your password if you are not an administrator? Can [criminals] create a program that waits for you to log into your bank, authenticate and then take all your money? The short answer is, yes, absolutely," he added.

According to IBRS security analyst James Turner, Microsoft's decision to sacrifice security for user friendliness has backfired on the company.

"This is a tough legacy which Microsoft has been dealing with since the days of MSDOS. DOS was almost like a stripped back version of Unix and Microsoft left some of the cool stuff — things like file permissions — behind. So they've been dealing with this fairly fundamental void in their core ever since. Microsoft has always been the easy, user-friendly operating system and now this same ease of use has become a liability," said Turner.

ZDNet.com.au's Munir Kotadia contributed to this report.

Editorial standards