Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
Hi, Jon DeVaan here to talk to you about the recent UAC feedback we’ve been receiving.
Most of our work finishing Windows 7 is focused on responding to feedback. The UAC feedback is interesting on a few dimensions of engineering decision making process. I thought that exploring those dimensions would make for an interesting e7 blog entry. This is our third discussion about UAC and for those interested in the evolution of the feature in Windows it is worth seeing the two previous posts (post #1 and post #2) and also reading the comments from many of you.
We are flattered by the response to the Windows 7 beta so far and working hard at further refining the product based on feedback and telemetry as we work towards the Release Candidate. For all of us working on Windows it is humbling to know that our work affects so many people around the world. The recent feedback is showing us just how much passion people have for Windows! Again we are humbled and excited to be a part of an amazing community of people working to bring the value of computing to a billion people around the world. Thank you very much for all of the thoughts and comments you have contributed so far.
UAC is one of those features that has a broad spectrum of viewpoints with advocates staking out both “ends” of the spectrum as well as all points in between, and often doing so rather stridently. In this case we might represent the ends of the spectrum as “security” on one end and “usability” on the other. Of course, this is not in reality a bi-polar issue. There is a spectrum of perfectly viable design points in between. Security experts around the world have lived with this basic tension forever, and there have certainly been systems designed to be so secure that they are secure from the people who are supposed to benefit from them. A personal example I have, is that my bank recently changed the security regimen on its online banking site. It is so convoluted I am switching banks. Seriously!
As people have commented on our current UAC design (and people have commented on those comments) it is clear that there is conflation of a few things, and a set of misperceptions that need to be cleared up before we talk about the engineering decisions made on UAC. These engineering decisions have been made while we carry forth our secure development lifecycle principles pioneered in Windows XP SP2, and most importantly the principle of “secure by default” as part of SD3+C. Windows 7 upholds those principles and does so with a renewed focus on making sure everyone feels they are in control of their PC experience as we have talked about in many posts.
The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent. Some people have taken the, “it’s not a vulnerability” position to mean we aren’t taking the other parts of the issue seriously. Please know we take all of the feedback we receive seriously.
The word “vulnerability” has a very specific meaning in the security area. Microsoft has one of the leading security agencies in the world in the Microsoft Security Response Center (email@example.com) which monitors the greater ecosystem for security threats and manages the response to any threat or vulnerability related to Microsoft products. By any definition that is generally accepted across the world wide security community, the recent feedback does not represent a vulnerability since it does not allow the malicious software to reach the computer in the first place.
It is worth pointing out the defenses that exist in Windows Vista that keep malware from getting on the PC in the first place. In using Internet Explorer (other browsers have similar security steps as well) when attempting to browse to a .vbs file or .exe file, for example, the person will see the prompts below:
Internet Explorer 8 has also introduced many new features to thwart malware distribution (see http://blogs.msdn.com/ie/archive/2008/08/29/trustworthy-browsing-with-ie8-summary.aspx ). One of my favorites is the SmartScreen® Filter which helps people understand when they are about to visit a malicious site. There are other features visible and hidden that make getting malware onto a PC much more difficult.
A SmartScreen® display from IE 8
Additionally, if one attempts to open an attachment in a modern email program (such as Windows Live Mail) the malware file is blocked:
Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place. In Windows 7 we have continued to focus on improving the ability to stop malware before it is installed or running on a PC.
The second issue to untangle is about the difference in behavior between different UAC settings. In Windows 7, we have four settings for the UAC feature: “Never Notify,” “Notify me only when programs try to make changes to my computer (without desktop dimming),” “Notify me only when programs try to make changes to my computer (with desktop dimming),” and “Always Notify.” In Windows Vista there were only two choices, the equivalent of “Never Notify” and “Always Notify.” The Vista UI made it difficult for people to choose “Never Notify” and thus choosing between extremes in the implementation. Windows 7 offers you more choice and control over this feature, which is particularly interesting to many of you based on the feedback we have received.
The recent feedback on UAC is about the behavior of the “Notify me only when programs try to make changes to my computer” settings. The feedback has been clear it is not related to UAC set to “Always Notify.” So if anyone says something like, “UAC is broken,” it is easy to see they are mischaracterizing the feedback.
The Purpose of UAC
We are listening to the feedback on how “Notify me only when…” works in Windows 7. It is important to bring in some additional context when explaining our design choice. We choose our default settings to serve a broad range of customers, based on the feedback we have received about improving UAC as a whole. We have learned from our customers participating in the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, and in house usability testing that the benefit of the information provided by the UAC consent dialog decreases substantially as the number of notifications increases. So for the general population, we know we have to present only key information to avoid the reflex to “answer yes”.
One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. There are other human behavior factors which were discussed in our earlier blog posts (post #1 and post #2).
UAC also helps software developers improve their programs to run without requiring administrator privileges. The most effective way to secure a system against malware is to run with standard user privileges. As more software works well without administrator privileges, more people will run as standard user. We expect that anyone responsible for a set of Windows 7 machines (such as IT Administrators or the family helpdesk worker (like me!)) will administer them to use standard user accounts. The recent feedback has noted explicitly that running as standard user works well. Administrators also have Group Policy at their disposal to enforce the UAC setting to “Always Notify” if they choose to manage their machines with administrator accounts instead of standard user accounts.
Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines. We know that the feedback does not apply to the “Always Notify” setting of UAC; and we know that UAC is not 100% effective at stopping malware once it is running. One might ask, why does the “Notify me only when…” setting exist, and why is it the default?
The creation of the “Notify me only when…” setting and our choice of it as the default is a design choice along the spectrum inherent in security design as mentioned above. Before we started Windows 7 we certainly had a lot of feedback about how the Vista UAC feature displayed too many prompts. The new UAC setting is designed to be responsive to this feedback. A lot of the recent feedback has been of the form of, “I’ll set it to ‘Always Notify,’ but ‘regular people’ also need to be more secure.” I am sure security conscious people feel that way, and I am glad that Windows 7 has the setting that works great for their needs. But what do these so called “regular people” want? How to choose the default, while honoring our secure design principles, for these people is a very interesting question.
In making our choice for the default setting for the Windows 7 beta we monitored the behavior of two groups of regular people running the M3 build. Half were set to “Notify me only when…” and half to “Always Notify.” We analyzed the results and attitudes of these people to inform our choice. This study, along with our data from the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, and in house usability testing, informed our choice for the beta, and informed the way we want to use telemetry from the beta to validate our final choice for the setting.
A key metric that came out of the study was the threshold of two prompts during a session. (A session is the time from power up to power down, or a day, whichever is shorter.) If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer. In comparing the two groups we found that the group with the “Always Notify” setting was nearly four times as likely to have sessions with more than two prompts (a 1 in 6.7 chance vs a 1 in 24 chance). We gathered the statistic for how many people in the sample had malware make it onto their machine (as measured by defender cleaning) and found there was no meaningful difference in malware infestation rates between the two groups. We will continue to collect data during the beta to see if these results hold true in a much broader study.
We are very happy with the positive feedback we have received about UAC from beta testers and individual users overall. This helps us validate our “regular people” focus in terms of the trade-offs we continue to consider in this design choice. We will continue to monitor the feedback and our telemetry data to continue to improve our design choices on UAC.
So as you can see there is a lot of depth to the discussion of UAC and the improvements made in Windows 7 in UAC itself and in improving ways to prevent malware from ever reaching a PC. We are working hard to be responsive to the feedback we received from Vista to provide the right usability and security for people of all types. We believe we’ve made good progress and are listening carefully to the feedback on our UAC changes. Again please accept our most sincere thanks for the passion and feedback on Windows 7. While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view. Our goal is to create a useful, useable, and secure Windows for all types of people.
Thanks for sharing your thoughts. I understand your points.
Now, I want add my voice to the call for one very simple change:
Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.
That is all we are asking. No other changes. Leave the default level as it is, and keep UAC as it is. We're just talking about the very specific case of CHANGES to the UAC prompting level.
It will NOT be a big nuisance - most people only ever change the UAC level once (if at all).
Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level.
The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument. Somebody WILL get past those other boundaries eventually.
Even if you aren't convinced by my argument, then the PR argument must be a no-brainer for Microsoft.
PLEASE, Jon, it's just a small change that will gain a LOT of user confidence and a LOT of good PR.
I definitly agree with the idea to add an option when installing windows to create both a local admin account as well as a standard-user account. That would be a *huge* help in encouraging the use of standard-user accounts.
I also agree that even if you guys don't think it's a big issue, there are lots of people in the real world that do. You keep saying you listen to your customers, listen to us and at least add a prompt when changing the UAC notification level.
I don't get this mind-boggling, the-customer-is-stupid response! If 7 can keep malware off of the computer, what is the point of UAC at all that I, as an individual customer, care about?
Look, just fix this little issue. Laugh at me behind my back, send little sarcastic emails amongst yourselves, I don't care, just don't force my to set UAC to "Always Notify", please.
I'll sleep better at night.
Quote: "The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent."
I find that statement inconsistent with the Microsoft Security Intelligence Report ( http://www.microsoft.com/sir ), which has statistics showing ways that malware does make it onto the PC without consent in the real world, such as vulnerable browser add-ons like QuickTime Player, RealPlayer, and so forth. Download the SIR and note the chart on page 37 for a top-ten list of exploited browser add-ons in Vista.
I've run into such exploits myself. Protected Mode took care of them, since I use Internet Explorer. But if the user is running a browser without Protected Mode, that mitigation will not help them. And if they're running as an Administrator, as Windows set their first user account up by default, what will happen?
For another real-world example, F-Secure's blog shows the clever ruse used by Conficker.B to get people to execute the infection when they think they're just opening Explorer to view the contents of a USB drive:
In my opinion, considering the ingenuity and determination the bad guys have shown over the last decade, it is naive to think that there will be no non-user-initiated malicious code execution on ~500 million PCs from 2010 to 2021. Put up walls around the UAC settings, at a minimum. I also suggest using the secure desktop by default; people *are* getting accustomed to UAC, especially since Vista SP1.
Am I missing something. Could Microsoft not setup mechanism to allow only an authorized subsystem to change the UAC settings or disable it altogther. ie digitially signed
You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one's that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?
Personally, I think you make people happy and sell product. Though acknowledge that you will suddenly have lots of similar items in the same class of "I installed something and it is doing something I didn't think it would do".
The general public understands and appreciates security by obscurity (they still hide things under the mattress, or someplace hidden in their house), even though the security industry thinks it is bad since it brings a false sense of security that they do not have. But people relate to it anyhow.
Doesn't sound like an engineering decision. Sounds like a business one.
I'm not sure I get it. Why exactly are you championing limited user accounts again? Going by what you said, once a piece of software gets on the PC, it doesn't matter what it does, it won't be a security vulnerability.
Why is there limited access rights to some files on the OS? Why can't my application change security-related settings without sufficient privileges?
Going by this blog post, none of that would be necessary, because "there's no way for software which exploits it to get onto the PC".
And yet all those features were there in Vista, and are there in Win7.
It does seem weird that a program running without superuser privileges, is able to disable UAC without prompting the user.
In the default setting, UAC requires confirmation for security-related changes, but ignores everything else. Why exactly is UAC's configuration itself not a security setting?
The current setting pretty much renders UAC irrelevant, doesn't it? In the default setting, assuming a piece of malware gets to execute, it can disable UAC entirely, which means that it can now do anything it pleases without requiring consent from the user. If the justification for this is that "malware shouldn't get this far in the first place, it should never get to the point where a UAC prompt is needed", then it begs the question "why exactly is UAC there, then?"
It seems you're intent on nitpicking about the precise definition of malware, and are assuming a perfect world with no security vulnerabilities in the browser, and an omniscient user who would never execute a piece of malware in the first place.
And that just misses the point that users aren't perfect, malware *will* end up on the machine, and if the user can't trust UAC to warn them if it attempts to perform critical security changes, the UAC becomes pretty useless.
Considering how badly behaved most Windows software is, isn't it naive to assume that "malware is something that will give the user a warning when he downloads it"?
What exactly are the odds that some software developers will choose the lazy way to "fix" the UAC prompts their (otherwise benign) software causes? I'm willing to be that some of them will simply decide "eh, we'll just lower the UAC setting a bit. The user won't notice the difference, and it means I won't annoy him with UAC prompts all the time".
this is unbelievable. Such a long blog entry and you never come to the point. How long do you want to hide behind telemetry data? This is not a way to communicate with smart people.
You are either dumb (don't think so) or you make yourself look like dumb because you have actually seen through this.
First the question of how malware comes to run on the computer is completely irrelevant for this, because UAC prompts are about programs which already run on the computer.
One question really raised here is if the UAC prompt is special for UAC or not. Maybe you think it is not special and have a good reason for that. But I can't imagine that a smart guy did not see this question asked here.
So I think what you do not tell us here is that you fear if you give in in this case and put an UAC prompt before UAC changes, people will come up with further cases where programs bypass UAC by simulating user input rendering the whole concept of the new default setting useless. But then maybe it is useless.
Obviously this would be hard for you to swallow at this point. But you have more to lose by not having an honest discussion.
I think a clarification on whether UAC can be changed programmatically and whether there will always be a UAC prompt if this happens would help here... but the figures on usage and malware incidence from the M3 are very interesting. Do you consider the M3 user base representative of the general user base or might there be a skew towards more 'careful' users? I'm assuming you'll look at the same figures from beta users and evaluate that...
As many said before me: Changing UAC Prompting Level should trigger an UAC prompt!
Shouldn't chaning the UAC Level be the ONE command above all commands that produces the UAC Prompt?
I wouldn't not give someone the keys to my house, but allow them to easily change all the locks on my doors...
Just doesn't make any sense. What am I missing?
I can't see that having a UAC prompt if something attempts to change UAC itself would be a bad thing. I would rather know if something has just changed the security level I have elected!!
Slightly off topic, I have just read that it has been confirmed that ther will be 6 versions of Windows 7.
PLEASE REVERSE THIS DECISION!!!!
You only need Home and Business in the mainstream, anything else just causes confusion. If you want to have a host of other versions for big corporates that's fine, just don't release them or even mention them to the general public.
I waste so much of my day explaining the stupid versions of Vista to worried customers. At the end they only ever want a home version or a work version.
Just sell the home one at a really keen price £50 in the UK which is probably $50 in the US, sell the Business version for £/$80 and you will absolutely rake it in.
Sell the OEM versions of the above for £40 and $60 and MS profits will go ballistic!
There are so many XP users dying to ditch it for a modern OS and this is your big chance.
Do anything else and you will see Ubuntu and OSX ripping into your market share.
I do not believe it ... 6 versions, do the marketing drones not learn anything, we are in a recession both sides of the pond.
If I was a coder in Redmond I would take industrial action against this decision. All the brilliant work being done by the guys and gals who report here is being thrown away!!
...let's touch on this quote from the blog here:
quote: "In making our choice for the default setting for the Windows 7 beta we monitored the behavior of two groups of regular people running the M3 build. Half were set to “Notify me only when…” and half to “Always Notify.” We analyzed the results and attitudes of these people to inform our choice. This study, along with our data from the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, and in house usability testing, informed our choice for the beta, and informed the way we want to use telemetry from the beta to validate our final choice for the setting."
I've hunted malware in the real world. At one point, I was turning in more malware samples in an average day than the entire CastleCops MIRT. After sneaking thousands upon thousands of malware samples past Defender without detection, I can safely say that Windows Defender's ability to detect fresh real-world malware is distressingly low. I cannot accept your Defender detection statistics as a meaningful metric here.
I would also like to point out that the test you've describe is merely testing for today's security landscape, not for the next ten years. It's wise to plan for the future, not for the past, because once Win7 is in the field, the bad guys are not likely to rest on their laurels.
To cite an obvious (to me) example, look at the WinXP Security Center. It didn't take the bad guys long to begin either disabling the Security Center altogether, or turning off its "red shield" notification, so that the Security Center could not alert users that their antivirus software had been turned off to pave the way for further infections.
The bad guys frequently molest other Windows features as well. For example: System Restore points are destroyed to prevent an easy recovery. The Windows Firewall is disabled, or exceptions are added. Browser security settings are altered. DEPEND ON IT: if you leave these controls accessible to userland code on a default out-of-the-box Windows installation, the bad guys will not ignore them in the interest of "fighting fair."
Those who do not know their history, are doomed to repeat it...
I read through your blog once again and there is in fact a single sentence, which really comes to the point of this discussion. The sentence is:
"For example, clever malware will avoid operations that require elevation."
It seems to me that you talk about UAC in general here including the strong version, which is currently active in vista.
Can you please elaborate on how malware would do that. Is it then true that the only purpose of UAC is to torture end users to force programmers change their programs? If this is not a security feature, then why lock the desktop for an UAC prompt?
I also do not understand this sentence:
"UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used."
Can you please elaborate.
Well, I hope you already got the picture by the many comments. I think your reasons and your logic are faulty. With security as a high priority, this should be a no brainer. I think you should ALWAYS UAC prompt for changes to UAC. If you do not want to do that, then you should always prompt for UAC if the change is going to be set to a lower value than the current setting. This is more work I am sure but I think that is the minimum bar. The better solution, is to just always prompt for changes to UAC. I can kind-of see not prompting for UAC if UAC prompt is disabled completely but that is the only scenario that I would accept as valid for not prompting.