Microsoft on Win7 UAC: 'Take the emotions out of the discussion'
The latest blog posts from Windows 7 engineers reveal this quandary: If the whole point of accelerating Win7 was to eliminate the Vista complaints, and the tool to accomplish that is generating more complaints, what do they do?
Repeating the message, sometimes exhaustively, that they are indeed listening to testers' concerns about the trial security measures in the latest Windows 7 public beta, Microsoft's engineers appear to be on the brink -- if not already over it -- of asking testers the following: If all you're going to do is complain, why should we bother?
The subject, of course, has been the "royal shellacking" that the company has been receiving in the last few weeks for design choices that are said to reduce or eliminate the cause of Vista customers' complaints, but which appear questionable from a security standpoint. Should, for example, Windows 7 have the ability to assign privilege self-elevating privileges to binaries that appear to be signed by Microsoft? As Betanews readers have pointed out, Vista already has similar capabilities; but based on what Microsoft representatives have been saying and what testers are discovering, those methodologies are made easier in the current Win7 beta build.
In a very long blog post early this morning, Microsoft engineer John DeVaan began with words that could be interpreted, or misinterpreted, to mean, if only you folks would keep the noise down, we could get some work done around here. DeVaan begins, "Most of our work finishing Windows 7 is focused on responding to feedback. The [User Account Control] feedback is interesting on a few dimensions of engineering decision making process."
DeVaan goes on to ask testers not to speak of Microsoft's design choices for UAC as a "vulnerability," arguing that technically, that word applies to a case where a specific piece of malware has broken through and delivered a payload. No such incident has been reported or discovered with Win7 Build 7000, he says.
The architectural problem he then focuses upon is whether a prompt was a proper roadblock to prevent malware from being installed -- the choice made for Vista that Win7 is trying to steer away from. The default setting in the new Action Center for User Account Control in Win7 is, "Notify me only when programs try to make changes to my computer." This eliminates the UAC prompts that Vista users would receive, which would often come up immediately after they order a system change, usually through the Control Panel.
From a user perspective, that seems reasonable enough -- eliminating system questions that seem to ask repeatedly, "Is what you just did what you meant to be doing?" On the other hand, such prompts were measurably effective at constraining the ability of malware to impersonate the user (and that's the real technical term for processes that adopt the current user's privileges) and make changes the user didn't ask for.
So the problem is finding the right balance; and to that end, DeVaan defends his company's current choice by reminding those who are technically minded and who would be concerned about the architectural implications of such issues, that they're in the minority.
"It is important to bring in some additional context when explaining our design choice," DeVaan wrote. "We choose our default settings to serve a broad range of customers, based on the feedback we have received about improving UAC as a whole. We have learned from our customers participating in the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, and in house usability testing that the benefit of the information provided by the UAC consent dialog decreases substantially as the number of notifications increases. So for the general population, we know we have to present only key information to avoid the reflex to 'answer yes."'
At PDC last October, Microsoft system designers presented statistics showing that when Vista users were bombarded by prompts, they tended to ignore them more often, making each one less and less effective at doing its job. In fact, users could "answer yes" or click on Continue or Allow almost reflexively, without reading the warning -- a habit which in and of itself could become exploitable by malware.
Inspired by DeVaan's post, Microsoft chief security advisor Roger Halbheer, in a post of his own this morning, took the discussion a few steps further, invoking a kind of question reminiscent of what the primordial humans in the daily planning meetings from a Douglas Adams novel, might ask: If you think you're so smart at inventing the wheel, you tell us what color you think it should be.
"Is UAC really the only thing you are concerned about?" Halbheer asked. "I think it [the system-wide security policy] should be consistent throughout the Windows settings (including UAC) -- protecting UAC alone probably does not cover the attack vectors you are mentioning."
Assuming the user is an administrator anyway, Halbheer continued, "As an example: I can open the Device Manager without prompt. I can change all Windows Settings without a prompt (including all the security settings). This is what the UAC setting is for. From a Risk Management perspective: What would it really change if we would ask for a prompt if you change the UAC setting? So, the malware we are looking at could now not change the UAC settings but all the other Windows settings (if you are an Admin). How much would this really lower the risks -- or would it reduce the risk at all?"
Maybe folks would be better off if "High" were the default setting -- essentially keeping things where they were with Vista, he tossed out. Would users like that better?
"In my opinion," Halbheer concluded, "we all should do two things: 1. Take the emotions out of the discussion; 2. Look at the broad picture from a risk management perspective...The reason for publishing Beta versions is to have these discussions now, where changes are still possible rather than after the release. So, let's have this discussion taking the points above in consideration."