Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
Hi, Jon DeVaan here to talk to you about the recent UAC feedback we’ve been receiving.
Most of our work finishing Windows 7 is focused on responding to feedback. The UAC feedback is interesting on a few dimensions of engineering decision making process. I thought that exploring those dimensions would make for an interesting e7 blog entry. This is our third discussion about UAC and for those interested in the evolution of the feature in Windows it is worth seeing the two previous posts (post #1 and post #2) and also reading the comments from many of you.
We are flattered by the response to the Windows 7 beta so far and working hard at further refining the product based on feedback and telemetry as we work towards the Release Candidate. For all of us working on Windows it is humbling to know that our work affects so many people around the world. The recent feedback is showing us just how much passion people have for Windows! Again we are humbled and excited to be a part of an amazing community of people working to bring the value of computing to a billion people around the world. Thank you very much for all of the thoughts and comments you have contributed so far.
UAC is one of those features that has a broad spectrum of viewpoints with advocates staking out both “ends” of the spectrum as well as all points in between, and often doing so rather stridently. In this case we might represent the ends of the spectrum as “security” on one end and “usability” on the other. Of course, this is not in reality a bi-polar issue. There is a spectrum of perfectly viable design points in between. Security experts around the world have lived with this basic tension forever, and there have certainly been systems designed to be so secure that they are secure from the people who are supposed to benefit from them. A personal example I have, is that my bank recently changed the security regimen on its online banking site. It is so convoluted I am switching banks. Seriously!
As people have commented on our current UAC design (and people have commented on those comments) it is clear that there is conflation of a few things, and a set of misperceptions that need to be cleared up before we talk about the engineering decisions made on UAC. These engineering decisions have been made while we carry forth our secure development lifecycle principles pioneered in Windows XP SP2, and most importantly the principle of “secure by default” as part of SD3+C. Windows 7 upholds those principles and does so with a renewed focus on making sure everyone feels they are in control of their PC experience as we have talked about in many posts.
The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent. Some people have taken the, “it’s not a vulnerability” position to mean we aren’t taking the other parts of the issue seriously. Please know we take all of the feedback we receive seriously.
The word “vulnerability” has a very specific meaning in the security area. Microsoft has one of the leading security agencies in the world in the Microsoft Security Response Center (firstname.lastname@example.org) which monitors the greater ecosystem for security threats and manages the response to any threat or vulnerability related to Microsoft products. By any definition that is generally accepted across the world wide security community, the recent feedback does not represent a vulnerability since it does not allow the malicious software to reach the computer in the first place.
It is worth pointing out the defenses that exist in Windows Vista that keep malware from getting on the PC in the first place. In using Internet Explorer (other browsers have similar security steps as well) when attempting to browse to a .vbs file or .exe file, for example, the person will see the prompts below:
Internet Explorer 8 has also introduced many new features to thwart malware distribution (see http://blogs.msdn.com/ie/archive/2008/08/29/trustworthy-browsing-with-ie8-summary.aspx ). One of my favorites is the SmartScreen® Filter which helps people understand when they are about to visit a malicious site. There are other features visible and hidden that make getting malware onto a PC much more difficult.
A SmartScreen® display from IE 8
Additionally, if one attempts to open an attachment in a modern email program (such as Windows Live Mail) the malware file is blocked:
Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place. In Windows 7 we have continued to focus on improving the ability to stop malware before it is installed or running on a PC.
The second issue to untangle is about the difference in behavior between different UAC settings. In Windows 7, we have four settings for the UAC feature: “Never Notify,” “Notify me only when programs try to make changes to my computer (without desktop dimming),” “Notify me only when programs try to make changes to my computer (with desktop dimming),” and “Always Notify.” In Windows Vista there were only two choices, the equivalent of “Never Notify” and “Always Notify.” The Vista UI made it difficult for people to choose “Never Notify” and thus choosing between extremes in the implementation. Windows 7 offers you more choice and control over this feature, which is particularly interesting to many of you based on the feedback we have received.
The recent feedback on UAC is about the behavior of the “Notify me only when programs try to make changes to my computer” settings. The feedback has been clear it is not related to UAC set to “Always Notify.” So if anyone says something like, “UAC is broken,” it is easy to see they are mischaracterizing the feedback.
The Purpose of UAC
We are listening to the feedback on how “Notify me only when…” works in Windows 7. It is important to bring in some additional context when explaining our design choice. We choose our default settings to serve a broad range of customers, based on the feedback we have received about improving UAC as a whole. We have learned from our customers participating in the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, and in house usability testing that the benefit of the information provided by the UAC consent dialog decreases substantially as the number of notifications increases. So for the general population, we know we have to present only key information to avoid the reflex to “answer yes”.
One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. There are other human behavior factors which were discussed in our earlier blog posts (post #1 and post #2).
UAC also helps software developers improve their programs to run without requiring administrator privileges. The most effective way to secure a system against malware is to run with standard user privileges. As more software works well without administrator privileges, more people will run as standard user. We expect that anyone responsible for a set of Windows 7 machines (such as IT Administrators or the family helpdesk worker (like me!)) will administer them to use standard user accounts. The recent feedback has noted explicitly that running as standard user works well. Administrators also have Group Policy at their disposal to enforce the UAC setting to “Always Notify” if they choose to manage their machines with administrator accounts instead of standard user accounts.
Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines. We know that the feedback does not apply to the “Always Notify” setting of UAC; and we know that UAC is not 100% effective at stopping malware once it is running. One might ask, why does the “Notify me only when…” setting exist, and why is it the default?
The creation of the “Notify me only when…” setting and our choice of it as the default is a design choice along the spectrum inherent in security design as mentioned above. Before we started Windows 7 we certainly had a lot of feedback about how the Vista UAC feature displayed too many prompts. The new UAC setting is designed to be responsive to this feedback. A lot of the recent feedback has been of the form of, “I’ll set it to ‘Always Notify,’ but ‘regular people’ also need to be more secure.” I am sure security conscious people feel that way, and I am glad that Windows 7 has the setting that works great for their needs. But what do these so called “regular people” want? How to choose the default, while honoring our secure design principles, for these people is a very interesting question.
In making our choice for the default setting for the Windows 7 beta we monitored the behavior of two groups of regular people running the M3 build. Half were set to “Notify me only when…” and half to “Always Notify.” We analyzed the results and attitudes of these people to inform our choice. This study, along with our data from the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, and in house usability testing, informed our choice for the beta, and informed the way we want to use telemetry from the beta to validate our final choice for the setting.
A key metric that came out of the study was the threshold of two prompts during a session. (A session is the time from power up to power down, or a day, whichever is shorter.) If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer. In comparing the two groups we found that the group with the “Always Notify” setting was nearly four times as likely to have sessions with more than two prompts (a 1 in 6.7 chance vs a 1 in 24 chance). We gathered the statistic for how many people in the sample had malware make it onto their machine (as measured by defender cleaning) and found there was no meaningful difference in malware infestation rates between the two groups. We will continue to collect data during the beta to see if these results hold true in a much broader study.
We are very happy with the positive feedback we have received about UAC from beta testers and individual users overall. This helps us validate our “regular people” focus in terms of the trade-offs we continue to consider in this design choice. We will continue to monitor the feedback and our telemetry data to continue to improve our design choices on UAC.
So as you can see there is a lot of depth to the discussion of UAC and the improvements made in Windows 7 in UAC itself and in improving ways to prevent malware from ever reaching a PC. We are working hard to be responsive to the feedback we received from Vista to provide the right usability and security for people of all types. We believe we’ve made good progress and are listening carefully to the feedback on our UAC changes. Again please accept our most sincere thanks for the passion and feedback on Windows 7. While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view. Our goal is to create a useful, useable, and secure Windows for all types of people.
I feel that Windows or Setup does not encourage users enough to run as normal user.
Most users that are mostly the only users of their computer create only 1 user account and that becomes the account with admin rights.
Setup should be changed in a way that it becomes normal for any computer user that a normal user account is created that will be used normally, and that the admin account is only used for very specific scenario's.
What most people seem to forget when they ask for an additional UAC prompt is that this DOES NOT solve the problem AT ALL!
Any piece of software (malware or not) has the ability not only to lower the UAC level without prompt but to do almost everything by using one of the "certified for auto-elevation"-applications/dialogs even with the standard UAC level.
Example: If malware wants to copy itself into the Windows system folder or change any system files, it can do so by simulating user interaction with Explorer. This is because in the default Windows 7 UAC setting you wont get prompted if you use Explorer to make any changes to system folders.
Why is this not considered a security problem?!
As already said: The OS cannot base its security on the assumption that there are external mechanisms to prevent malware from getting onto the system. Instead this is where OS security comes in. Its the OS's job to prevent that running malware damages the system.
Perhaps the problem could be solved by using integrity levels. Raise the integrity level of the applications/dialogs you want to be allowed for auto-elevation above medium (somewhere between medium and high) and deny medium-IL applications the communication (sending keystrokes etc.) with higher-IL applications/dialogs.
I think the big unword in this article is "Customer-Driven Engineering".
Customers will always ask for more gummi bears. But if they get problems with their stomach, then it is of course the fault of the engineer.
I think your point explains the reaction of Microsoft to this. The new UAC level seems to be fundamentally flawed, so it becomes difficult to draw a line for them.
But then doesn't it make a difference for practical security, if a malware script has to just switch off UAC or simulate lengthy user explorer sessions. These are the kind of considerations, I expected from Jon's blog and not pointless telemetry data.
I would suggest the Microsoft security group work with the Comodo team on how to properly display a popup, how to display the information (have a Basic and an Advanced option), AND how to properly implement a firewall. The XP, Vista and W7 firewalls are so useless that any script kiddie with more than 10 minutes can be into the OS (direct broadband connection, no NAT firewall, no software firewall aside of default Windows Firewall). UAC is only useful for the clueless customer that wants that warm fuzzy feeling of "thinking" that they are safe with UAC on.
Previously, I mentioned that Defender's detection rates aren't too great. As an illustration, I pulled 2236 malware samples out of my archives, and scanned them with Defender, as well as with Kaspersky's online scanner.
Here are screenshots showing the results (namely, Defender detects 95 of the 2236 samples, while Kaspersky detects 2216 of them).
Keep in mind that these samples are more than a year old. I hope the Win7 team is also using other software, such as OneCare or another full antivirus program, to generate metrics on infection rates.
I think that there is NO way to make that "broken-UAC" to work at all.
Instead I would like to see sime kind of "don't warn me for the next 30 minutes" option in the UAC screen.
Also I would like to have special UAC mode in which it is allowed to do different not very harmful things like list running processes from All Users in Task Manager, launch chkdsk.exe or defrag, even connect or disconnect from network.
But replacing system files in Windows Explorer, updating device driver, change security permissions - all these should be UAC protected.
Great explanation on UAC and how MS puts so much faith in the very narrow & limited user groups and surveys, instead of relying on 'real' users in the field as represented mainly by their many beta testers who DO represent and deal with the 'ordinary users' every day.
This blog post, while eloquently presented, says one thing mainly: 'that MS, again, can't see the forest for the trees'. :)
You are right. The new UAC level is definitely flawed and they have a deeper design problem here that is not fixed by just adding a single prompt. If they were to add a prompt for UAC changes then someone would come along and do a quick demo on "How to turn of the W7 firewall without UAC prompting for elevation".
They really have to reconsider the current implementation of the new UAC level and I think (as mentioned earlier) a more extensive use of integrity levels could possibly do the job here.
It would be interesting to see Jon commenting on such ideas.
I'd accept that this is quite a valid argument. UAC can only protect you so much, but the onus is on your part to not click yes to run anything, but that also leads to one issue, where people can further circumvent this and make things seem more legit, and that is through an MSI installer, just imagine applications bundled with the reg key. I mean elevating for an MSI installer is pretty common, and if the malware vendor or what not, is intending to try to give away free software and also in turn getting the user to elevate the install so that they can install the reg key, then it's really not the users fault to unknowingly allowing elevation, as the installer could be well packaged really nicely and the app could very well be an excellent app, giving good incentives to the user.
Turning UAC off for 30 minutes is the same as turning it off altogether; how do you know those aren't the 30 minutes when you'll be hit by malware? And the things you list as 'not harmful' will usually have a good reason for needing to run as admin; malware would love to elevate and see what system processes it can attack.
@Siv - and I know I shouldn't perpetuate an off-topic discussion, but despite the list of 6 SKUs, your customers will only see 2/3 of them: the home version and the business version on the shelf, and the version with the extras on a high-end gaming machine that they can also choose to upgrade to online (and maybe the limited version that might come on an ultra-cheap netbook where the OEM wants to scrape a few extra dollars off the price). They will never see the others, so you won't have to explain them.
Is no one else surprised that malware can change UAC settings? There should be absolutely no method for applications to change UAC settings in the first place. And users should always be prompted for decreasing UAC settings, the above example of someone letting their child use their PC is a good reason why this should be the case. Sure, malware has to be prompted to allow these things to run, but, at least in Vista, when the malware is removed UAC is still there at the end of the day. On 7, once it's disabled it will probably remain that way for a while as users aren't likely to re-enable a feature that "nags" or "second-guesses" them.
By-the-by, this post sure has gotten a lot of responses quickly. The nerds are angry! :-)
I really see no reason why attempting to change the UAC setting (unless it is turned off) shouldn't trigger a UAC prompt... I understand the customer feedback around UAC, but c'mon--that feedback is hardly relevant to changing the UAC setting itself!
I realize this analogy isn't perfect, but a lock on your door really isn't very effective if the thief can simply remove the lock itself by removing a single screw. Yes, it's true that it appears that a UAC-disabling exploit may already mean "game over" for that machine, but consider this: that's hardly *always* true, and even then, isn't it better to continue to protect the machine against further infection, particularly against many, many older malwares that would have otherwise been rendered ineffective by UAC? And isn't it better for the state of the UAC setting to be a potential wildcard?
I think the real question here is why *shouldn't* UAC protect itself, and that hasn't been answered here. I see no reason.
As I stated before, it is not sufficient to add a prompt for the UAC level settings dialog. This dialog is just one example of using "certified for auto-elevation" applications/dialogs to render the new UAC level useless (although it is an extreme example).
A malware could still turn off the firewall, make changes to system folders and mess around with other sensitive system settings at standard UAC level. An additional prompt for the UAC settings dialog just prevents the malware from turning off UAC completely (at least if malware cannot use the sending of keystrokes to change registry keys).
Jon, the whole premise of a software is not malware if the user clicks "Allow" is bogus. Users do that all the time with hundreds of pop-ups and dialog boxes they are exposed to on a daily basis. Microsoft's attention should be to insure that malware cannot be installed or allowed to run on the system period - user allowed or otherwise. Microsoft has access to the same virus/spyware/malware definition databases as all the other anti-something vendors, so run a check to see if the software is listed before allowing anything to happen. If the user isn't online, quarantine the program until they go online to run the check, or cache the definitions on the system for it to refer to. Users are dumb, and security planning needs to be developed around that key fact.