I'll take an annoying Windows 7, if it's more secure

The annoying, more secure Windows 7?

(Credit: Microsoft)

Last Friday, Ina Fried detailed an interesting report from blogger Long Zheng, who "is drawing attention to an apparent shortcoming" in Microsoft's desire to make Windows 7 less annoying.

According to the report, Zheng believes that because Windows 7's User Account Control isn't as annoying as it was in Windows Vista, Microsoft is leaving its users open to more threats by third parties trying to exploit vulnerabilities. Zheng contends that due to changes in UAC, "malicious code could turn off alerts entirely with the user getting little notice that such a change had been made."

Zheng said in a blog post that he and a fellow blogger, Rafael Rivera, have designed a proof-of-concept code to prove his theory. He believes, "at a minimum, that Microsoft's default setting (should) also warn users if a change is being made to UAC itself."

In Windows Vista, a UAC prompt popped up each time any major change was made to the system. Some users found that annoying. Realizing that, Microsoft decided that in Windows 7, users would be able to decide how often they want to be notified. The default setting in the beta release of the OS only notifies users when a third-party application is making a change.

It should be noted that Zheng's contention is based on the Windows 7 beta, which means practically nothing until the final build hits store shelves. Microsoft can change that setting at any time and make this issue go away. More importantly, it can be changed by the administrator, so the issue, while present, shouldn't be blown out of proportion.

But it's because of that setting that Windows 7 is less annoying. But should we accept annoyance anyway, if it means more security? I think we should.

Annoyance with more security isn't necessarily a bad thing. But Microsoft is trying to find a way to achieve less annoyance while maintaining security. That won't be easy.

"We understand adding an extra click can be annoying, especially for users who are highly knowledgeable about what is happening with their system (or for people just trying to get work done)," Ben Fathi, a Windows 7 engineer, wrote in a blog post. "However, for most users, the potential benefit is that UAC forces malware or poorly written software to show itself and get your approval before it can potentially harm the system."

In the same blog post, Fathi posed the question of whether or not UAC actually makes your system more secure. Unfortunately, the answer was less than ideal.

"Does (UAC) make the system more secure?" Fathi said. "If every user of Windows were an expert that understands the cause/effect of all operations, the UAC prompt would make perfect sense and nothing malicious would slip through. The reality is that some people don't read the prompts, and thus gain no benefit from them (and are just annoyed)...There is the potential for a definite security benefit if you take the time to analyze each prompt and decide if it's something you want to happen. However, we haven't made things easy on you--the dialogs in Vista aren't easy to decipher and are often not memorable."

Worse, the company found in an internal study that users are "approving 89 percent of prompts in Vista and 91 percent in SP1." In other words, users are "responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions."

So maybe the issue isn't necessarily the number of UAC prompts, but the quality of those prompts. Maybe Microsoft needs to focus on making those UAC prompts more intelligent, more informative, and less derivative. After all, if users are better informed, they may be less annoyed, creating a situation where UAC actually cuts down on many of the issues facing Microsoft's operating system.

So, there's your challenge, Microsoft: make Windows 7 more secure, but cut down on UAC annoyances. Is it possible? Sure. But in its current state in Windows 7, it's not enough of an improvement to ensure more security, since many users won't change the default setting, leaving them open to exploitation, while others will ignore most of the prompts.

No one said securing Windows 7 would be simple. But Microsoft has a vested interest in keeping us safe when we use its OS and UAC is a key component in that. Now it needs it to figure out how to make everyone happy. And maybe, eliminating annoyance isn't the best way to do that. Perhaps, annoying us just a little less, is the best way to secure Windows 7.

Check out Don's Digital Home podcast, Twitter feed, and FriendFeed.

[The_happy_switcher]

At Microsoft, annoyance is job 1. Apologies to Chrysler.

[wjsteele]

Perhaps, you mean Ford... where 'Quality is Job 1!'

Bill

[bakedpatato]

No. at MS, profit is #1, like everyone else. :)

[hafenbrack]

I thought I remembered reading something from Don about he dislike the UAC, and now you're saying you would prefer it to be there??? All you do is gripe about it and now it's suddenly ok and just a little annoying. Nice way to keep a story straight.

From a story of Don's somwhere around Sept. of 2007:

"I also find it interesting that Microsoft decided to take the user access control concept from Mac OS X and make it much worse. Can someone please explain to me why I need to be asked if I wanted to do something entirely innocuous like open a third-party app from a well-known software company?"

[tm_anon]

Except for his Mac user mentality that everything came from Apple, including the UAC concept which has been available in many OS's for a very long time, including Linux which is also a Unix based system, it's a valid question.

It doesn't mean that he doesn't like UAC, it means that he doesn't like the implementation of it, which I agree with. I switched to Ubuntu Linux less than 2 months ago and have been working with a very secure, very user friendly type of UAC with no annoyance factor. It's been around for long enough that MS developers should have realized they have no need to redesign it.

UAC for MS is horrible in either form that has appeared in both new versions, it's either too annoying to be functional or too easy to turn off completely without ever letting you know. It's like either locking your doors, setting up guard dogs along with a full security detail behind bullet proof glass and a mechanized machine gun on a pedestal when using Vista or locking your doors and leaving the key hanging on the outside with Windows 7.

[biznatch11]

UAC is a useless piece of garbage and from a users perspective I think the worst addition to the OS from XP to Vista. The first thing that I do after a Vista install is disable UAC.

[tm_anon]

While you're at it, what's your Social Security Number, Bank Info and Full name along with place of birth and drivers license number? I mean, it won't take long to find out with UAC turned off anyway, might as well save yourself the trouble.

[Super2online]

That has got to be the dumbest thing I have ever read. Your solution is absurd. It's people like you that gaurantee we continue to have problems. Any hacker can turn your system into a zombie to spread malicious code to everyone else. Take an hour, think, long and hard about what you just said, then maybe if we are all really lucky you will see the wisdom in turning it back on an leaving it alone!

[ckurowic]

Yeah UAC saves the world...get real.

[ArtInvent]

Look, UAC probably needs to be there and default to a fairly heavy (and annoying level.) But it should be easy for a user with a modicum of tech knowledge to dial it down. This is because tech savvy people are vastly less likely to browse to shady websites, open suspect attachments, get phished, etc. A techy can very easily use bad old unsecure XP without any anti-virus or anything of the sort for years without getting malware of any kind. The problem is the masses of office workers who really don't give a cr*p if their machines host a botnet, and the very untechy home users who just don't know any better and click on any link that winks. There are lots of them, however. So yeah, keep the UAC on heavy by default.

[tm_anon]

Or do a complete redesign and make it more secure and less annoying at the same time. Linux has a great model for how to do it right. It's easy to understand, written in plain english and isn't annoying in the slightest. It's great for techies because it protects their computers from other techies and it's great for the office workers because it keeps the computer safe and running smoothly without annoyance.

By the way, if you're a techy with no antivirus software and your computer gets a virus, how would you know? Do you go through all programs every single day, including all parts of all programs and every single line of code for those parts, go through the registry to make sure no rogue elements have been added and remove each one manually or are you just that arrogant to say "I'm too smart to get a virus"?

Either way you're an idiot.

You're either using up all your time on lines of code or you're an idiot for thinking you're actually too smart to get a virus.

I'm a smart guy, I can see when there's a change in code and I know how to fix it. I also realize that having an antivirus program saves me the time I would otherwise have spent doing things I actually enjoy doing.

Get a clue and get some antivirus.

[whizkid454]

Damned if you do, damned if you don't. Everyone that hated Vista's UAC complained, now Microsoft pleases those and the others flare up. Unbelievable. Put up or shut up.

[bburn--2008]

I agree.

[tm_anon]

People complain because of poor implementation on both ends. MS needs to learn from those who've been doing it right for so long.

[whizkid454]

I must disagree tm_anon.... Those who you claim to be "doing it right" aren't doing much different. It just happens those people do not seem to care about the same "issues". MS used feedback from the majority of users to determine that this was a logical step in making consumers happy. The opposition has a right to be upset, but going off like this is a huge mistake is ludicrous. UAC is simply another barrier between malicious code and human computer-stupidity, not even MacOS is immune to human computer-stupidity.

[Super2online]

Amen!

[tm_anon]

@whizkid454

I wasn't suggesting to turn UAC off, I was suggesting a better setup for it. There are already very user friendly and secure models to be followed which were in place long before MS started to design it into Windows. following the Linux model would have left you with a much better experience using UAC, just put in your password, install the program or make the change and it times itself out. Set it to a reasonable amount of time for Windows and give the user the timer.

That means there are very few moments throughout the day when the user would have less protection, but again, all Windows would need is a program installer that is run separately from the rest of the system and suddenly it's the only program with those elevated privileges which much be granted by the user.

In other words, make it work right, but don't just turn it down.

[wiseleo]

That "annoyance" feature has saved countless amount of dollars that would be spent on hiring people like me to clean up the systems. My advice to the customer boiled down to: click Cancel whenever it pops up unless I am guiding you through a process.

I prefer safety over annoyance. That is why I actually recommended Vista when it was unpopular. :)

[tm_anon]

Of course, you could look at the numbers listed in the article and realize UAC is still broken in Windows. The idea is great, the implementation sucks.

[Super2online]

tm_anon,
What sucks is that we have to listen to wendy winers that could care less about securing the OS, and just want to complain about anything Microsoft creates.

[tm_anon]

@Super2online

Securing the OS means not only leaving it set halfway so that you'll leave it on, but it still lets malware turn it down because you don't get prompted, but also not making it so annoying when it's turned all the way up that you turn it off. I've used Vista, it looks great, but it's bloated. I haven't used Windows 7, but I have read many reviews on it and all have suggested that perhaps the UAC needs to be turned on all the way.

I've also read reviews on Linux distros and have read about OS X. Guess what never gets brought up. Don't know?

The fact that both Linux and OS X have a form of UAC which does not annoy, is not set at a halfway point and is at least as secure as Vista is proof enough that MS should stop fooling around and just do it right.

When MS does something right the first time, I'll applaud the effort and I'll be right there to praise them, but until then, I'll criticize.

[jimafrost]

They could improve things markedly by simply making it not prompt successively. There is no reason that I should have to answer a UAC prompt several times for a single install operation ... but I do. I've had as many as five prompts for a single installer! Similarly, there's no reason I should have to answer to UAC several times for a single change in the control panel ... but, sometimes, I do.

My preference, honed from long years doing UNIX system administration, is to always run as an unprivileged user and escalate for tasks when I need to. I prefer a password authentication when I do such authorization, there's no way some malware author is going to be able to work their way around not knowing my password.

On UNIX the "sudo" command lets me do privilege escalation, prompting me for a password only if I haven't done a command in the last few minutes. On MacOS I'm prompted when I drag something into Applications, or run a package installer, or to unlock the system preferences when I want to make a change to system settings. The critical bit here is that I am prompted /once/ for each logical operation (the UNIX system using frequency as a way to determine logical operation separation).

On Vista it doesn't work that way. Theoretically Vista should be more secure as it requires you to authorize each individual change, but practically speaking that gets you cross-eyed annoyed really fast. A whole lot of application installations require three or more authorizations back-to-back. I rapidly gave up on using password authentication on each of them, it was just too much, turning it down to just an OK button (authorization without authentication).

Can Microsoft find a way to make the annoyances more meaningful? I dare say they can because there are several examples of effective compromise already in existence.

They could, for instance, substantially improve things by simply auto-authorizing if multiple UAC events happen within a specific time period. Sudo uses 5 minutes, which is pretty reasonable, although given the bursty nature of UAC prompts I bet they could use a much tighter 2 minutes for tighter security.

They could also be very smart about it. My guess is that the multiple UAC prompts happens because an installer is launching subprocesses that must be authorized independently. Windows could backtrack up to the super-process and blanket-authenticate any other sub-processes (perhaps for a limited time window). This way multiple installers must be authorized independently, making security tighter than the UNIX sudo approach.

Whatever they do to handle installers, they can sure as hell fix sequential UAC prompts in the control panel. They control that ecosystem end-to-end.

Regardless, I will continue to recommend that UAC be left enabled. It is the last-chance defense against malware. Giving that up means giving up the only line of defense you have the next time Internet Explorer (or Mozilla, or whatever) has a significant unpatched security problem. Since those pop up weekly that's a whole lot to give up if you ask me.

jim frost
jimf@frostbytes.com

[Zayniac]

"They could improve things markedly by simply making it not prompt successively. There is no reason that I should have to answer a UAC prompt several times for a single install operation ... but I do. I've had as many as five prompts for a single installer! Similarly, there's no reason I should have to answer to UAC several times for a single change in the control panel ... but, sometimes, I do."

I've never had that happen to me.
Furthermore, the 91% statistic makes sense to me, as most of the time, it is for an installation that you do want.
The 9% is much more significant, as it shows how useful it is.
It's saved my computer at least once.

[Super2online]

If your getting up to 5 prompts I would seriously be looking at wiping your system and do a clean install. I have 7 systems in my house that all have Vista on them from the day it released and I have never seen more than one prompt. There must be something seriously wrong with that install, system or both.

[RompStar_420]

In Ubuntu, when you need Admin access to do something, the GUI pops up once, you enter the password and bam, the whole operation completes, it would be RETARDED to have that window pop-up 5 times, that is ridicules.

[Imalittleteapot]

I've never had a UAC prompt pop up on me five times for one install. Twice is the maximum I think I've seen. Also, you can config your system so if asks for your password just the same as Ubuntu as I run both or you can turn it off completely. I leave it on though because I don't know what you people are doing, but unless I'm installing it or changing something important in Control Panel I don't ever really see it. So, I guess the complainers just install/uninstall software all day and play in the control panel. Sounds very boring to me.

[visio_del_amor]

If you are a XP user which switched to Windows 7 you probably don't want UAC settings to be very strict so you could put at level 1 or 2 and you'll never be notified when programs make changes on windows registry or when you change Windows settings yourself. <br/> If you are a Vista user that switched to Windows 7, you can put UAC settings at level 3 or 4, in level 3 you won't be notified if you make changes to your computer by yourself, and on level 4 is used for people which constantly install new software and enter unfamiliar sites, and it will always be notified and desktop will be dimmed.

[Inconnux]

UAC generally is the first thing people turn off in Vista. Completely annoying/aggravating and defeats the purpose. Any Unix flavor does 10x the security with 1/10th the annoyance. will Win7 be less annoying? possibly, but I'm not holding my breath.

[tm_anon]

Unfortunately, it will be less annoying, but also much less secure. At least, judging from the beta release.

[ppgreat]

"I'll take an annoying Windows 7, if it's more secure"

Then you need to raise your standards. The better question might be, why settle? Explore the alternatives to the MS tax.

[whizkid454]

I'll consider it when I can play Flight Simulator X on an Ubuntu machine.

[Super2online]

I have to laugh at your solution. Switching to another OS requires purchasing apps that run under it. And if you are running windows in addition on the same machine, then you have not addressed the issue, just added to the tax you are complaining about! Think about it!

[ckurowic]

haha flight sim x? you mean the craptastic "simulator" that uses wind tunnel data instead of actually continuously calculating flight dynamics? Go ahead.

GET A REAL SIM: X-PLANE unless of course you think countless REAL plane manufacturers are wrong who design their products using X-plane....Scaled Composites for one.

[whizkid454]

ckurowic,

Must I have to go into the "Can it play Crysis?" mode?

[tm_anon]

@whizkid454

http://www.junauza.com/2008/12/yes-linux-can-run-crysis.html

Did a little research, that was on the front page of Google when I looked up Crysis on Ubuntu.

Just thought you should know.

I won't take windows 7. Why do I have to relearn an o/s every 2 years because microsoft wants to change things around. Improve XP, or make windows 7 look and like XP with the same icons, names and in the same places I already look for what I need. Change the program to make it run different if they have to, but call it by what it is already named and keep the icon the same! I will learn any new stuff added if I need to use the new items. If not, I should not have to relearn/or retrain employees wasting my time and money due to the inept microsoft way of releaseing new o/s's in the future.

[Zayniac]

You prefer stagnation to innovation?
There isn't really a major learning curve between XP and Vista - there's the same little tiles, that you click on.
The biggest difference for your employees would just be a change in colour, and that the start button is smaller.
I'm sure they're able to figure that out.

[UACudo]

>>Worse, the company found in an internal study that users are "approving 89 percent of prompts in Vista and 91 percent in SP1." In other words, users are "responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions."<<

Ok, that has to be just about the dumbest thing MS has ever said. So users know what they are doing and accept the dialog the majority of the time. That's a BAD thing?

The assumption that the users are accepting the UAC prompt inappropriately most of the time is ignorant and arrogant. In othe words, it sounds just like Microsoft.

I have been suggesting a Sudo like approach to authentication for a long time. In fact I created my own sudo like program that will disable UAC for five minutes, and renable it after that time. So when I know I have several Admin tasks to perform, I launch my "UAC Sudo" app, approve it, and do what I want to do. After five minutes I will have to approve again if I want to continue performing Admin tasks.

Why can't Microsoft do this? Are they affraid of being sued by the OOS community for doing security the right way? I find it hard to believe they are in any real danger for such an obvious design improvement.

[shellcodes_coder]

Set the slider to always notify, that's it.

[andurilan]

Sometimes I swear people who blog are so full of crap
by andurilan February 2, 2009 3:47 AM PST
" I've seen all the arguments over Long's blog, and here on CNET. But for me, its really not an issue. As long as Win7 is safer than XP, which with Defender+Firewall, it currently is. I've used XP Pro/x64, Vista since beta, and Win 7 on netbook and now using it as my primary os. I always turn off UAC as it is not useful to me whatsoever.

During my time of using Windows since XP SP1 to Win 7 Beta 7000, I've gotten no more than 5 viruses (*virii). I've only used Anti-Virus Once, and this was during the the XP SP2 Summer of Worms. Want to know how I did it? A little experience and common sense (don't open the omgbritneynude.exe's)

PC Security has a lot more to do with the person sitting between the keyboard and chair, than it does with UAC Prompt defaults. I'm chuckling to myself because of all the ruffled feathers this has caused."

I wrote this over on Ina's blog post about this vbscript UAC hack. While I agree there should be a better implementation of UAC prompts at this level, I've yet to seen how this would perform in the wild. Simply put, how would you infect me with this script? :

1. Develop A VB Script proof of concept Hack that controls my UAC.
2. Have me willingly download, and open it...
3.???
4. Infection!

More like
1. Ditto
2. Blog about it utterly destroying security in Win 7.
3.???
4. PROFIT!!! PAGE HITS!!! TRAFFIC!!!

If they really wanted to fix the problem, which would be a UAC whitelist, you'd guys be complaining about privacy rights issues, and anti-trust lawsuits. Damned if they do....

Like I said before, security is in the hands of the beholder. You asked for a less annoying UAC, and you got it. Beggars really cant be choosers. Not that I dont think MS is correct in their position, in fact they should correct this and move on.

But let's focus on real security issues that deserve more attention. Like getting rid of the registry completely, or scapping ActiveX. Or other causes that would give us alot of awesome features, like WinFS, which would be a quantam leap on how we compute today ( associations between files/apps/ratings through a xml like system). But for goodness sakes this is such a trivial issue for me as it stands.

[Super2online]

I agree with everything you say, unfortunately probably better than 90% of users are casual, they need to be defended against their own ignorance of what to watch out for, and what to run far away from. The system has to work for those people, and if it doesn't or we all suffer because of it.

[manojlds]

"I'll take an annoying Windows 7, if it's more secure"

No, I wont... A less secure Windows is OK with me, mainly because there is always some way or other that the loopholes are taken advantage of..So what am I doing with a system that is annoying AND causing me problems?

[deep0dark]

UAC is simply a LAZY implementation of an otherwise important and valuable feature.

Instead of analysing a situation and determining whether user approval is necessary, Vista simply moves all responsibility for system damage straight to the person using it. So no one can EVER say "I didn't want that setting changed without my approval".

The problem is, 9 out of 10 times, the user has ALREADY chosen to give approval for a change. If you just changed the screen resolution by clicking OK, why on earth you need to approve it one more time? Doesn't the system already know YOU clicked it yourself, and not some malware?

But Microsoft didn't WANT to do it the hard way - they just wanted an excuse; a simple, stupid implementation that gets the monkey off their backs (or so they thought).

UAC is just lazy, lazy, lazy, stupid, simple and indiscriminate garbage. THAT is why people hate it!

[Super2online]

The person using the system is ultimately responsible for what happens. That's life, work with it!

[xcal78]

You need to check the nut behind the keyboard to fix the lazyness issues.

[shinji257]

You know that the exploit is entirely dependent on the way that automated keystrokes are implemented. Why not make it so that those require a UAC prompt and say that an application or script is attempting to execute automated keystrokes. This leaves all the flexibility of UAC in Windows 7 and closes up that loop hole.

[ckurowic]

I find it interesting that for YEARS people who used Windows said the Mac OS was for people too stupid to use a real computer. Now Microsoft is forced to implement UAC to help REAL stupid users not destroy their computers!!!