Security

Microsoft admits Vista UAC was designed to annoy users and developers

Microsoft has a way of rubbing people the wrong way sometimes. In fact, so many people dislike Microsoft because of buggy code, the way it runs over competition, and the fact that it is the biggest player in the industry, that you wouldn't think that Microsoft would actively attempt to annoy users, but it has. At the RSA Security conference last week, a Microsoft official claimed that annoying users was the actual aim of the User Account Control (UAC) feature in Vista. Microsoft's goal, he said, was to try to force smaller software vendors to write more secure code.

Microsoft has a way of rubbing people the wrong way sometimes. In fact, so many people dislike Microsoft because of buggy code, the way it runs over competition, and the fact that it is the biggest player in the industry, that you wouldn't think that Microsoft would actively attempt to annoy users, but it has. At the RSA Security conference last week, a Microsoft official claimed that annoying users was the actual aim of the User Account Control (UAC) feature in Vista. Microsoft's goal, he said, was to try to force smaller software vendors to write more secure code.

Microsoft: Vista feature designed to 'annoy users' (News.com)

There are plenty of annoying practices in the tech world, from software that expires after a certain date to OEMs who put "crapware" on a new PC. I suspect that if you asked a room of 100 people about the most annoying part of technology, you might get as many as 100 different answers. Microsoft, however, has introduced something that is annoying on purpose in order to try to force vendors to write better code. However, annoying users is far from a security plan, and I truly hope that Microsoft is aware of that.

What Tech Company Practices Annoy You Most? (PC World)

Poll: Technology Annoyances (PC World)

Memo to Microsoft: Annoyance is not a security plan (Computerworld)

I suppose in the grand scheme of things, Microsoft is trying to improve the code that is in the marketplace. However, I am not sure that it should be up to them to police the whole industry, especially when its own software needs security updates on what seems like a weekly basis. Do you think that the annoying purpose of UAC is a good idea?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

71 comments
chernohsiray
chernohsiray

Finally someone agred with me, in 2007 when Visa's been released in the market, i was one of the first people who bought the OS , few weeks later i realised that vista has been designed to anoy users, i spend more time on my computer do a simple task, vista is so slow, no matter how many Gig of you RAM your computer will be always slow. please do something about it, we need an OS which can run faster, more reliable and secure. so fare xp OS is the best ever.

Shellbot
Shellbot

Yes, its a pain in the hole for IT people..but for the average home user, whats wrong with trying to edumacate them a bit? Yes, many won't care and will just click whatever..and thats cool..keeps the Tech Support guys in a job doesn't it! No software/OS is perfect..I like MS enough..yes i have a very long wish list of things I'd like to see fixed..but whatever. Maybe someone in the future will create a super amazing product with a flawless OS, and there will be a SuperProgram to write all other programs in the computing world flawlessly as well..would certainly cut costs (no programmers, support, testers etc needed) Come on guys..what company in the world gives a cr@p about little ole you moaning? Why should MS be any different? If you don't like thier products, fine, use something else.. I don't like Herbal Essences, therefore I don't use it..i don't b!tch and moan about how it leaves my hair feeling weird..many other people in the world buy it and use it..otherwise they wouldn't make it.. I used to use one certain bottle of thier shampoo..then they brought out a new and improved version..i didn't like it, so i don't use it.. some days i just like to look at more positive things.. like how nice the Vista screen looks... Before ye all go ape on me, I'm no Vista lover...none of my frigging sw runs on it....i've a virtual machine running for that stuff.. i figure i'll make it "work for me"..but what works for me might not work for others.. Ah, I remember the uproar over XP...in 5 years Vista will be the new chosen one and we'll all be complaining about the new useless OS.. :)

silversidhe
silversidhe

Which is why I have been checking out new (to me) OSs.

Andy Goss
Andy Goss

If you buy a Windows computer it will come with one user, the administrator. Most people will just use it, not appreciating the risks. Much simpler than UAC would be to adopt the Ubuntu system in which you have to enter your user password to do anything administrative, and the root user is invisible. But then a lot of people don't have a password. I shall be interested in how this is fixed in Windows 7. Not that I'll be buying one.

Deadly Ernest
Deadly Ernest

I have a friend who's trying to use Vista and is going crazy with the way the UAC is always kicking in. The real kicker on this is the only software he has on the system at the moment is ALL made by Microsoft. So not even the Microsoft software is fully compliant with the UAC. It's not their job to make other people write software to suit them, it's Microsoft's job to write an operating system that people can actual use and like using - that brings a song to mind: "That'll be the day, the day that I..."

NadaTech
NadaTech

First of all, I doubt that the speaker was an official spokesman for Microsoft, he was probably just another product demonstrator. Even so, programmers DO need to write more secure code. Nearly every non-Microsoft app I have to install on a dialy basis requires the user to be a member of the Local Admin Group. This is not Windows fault, it is the programmers fault. Very few Linux apps require you to run them as Root. The UAC is the same as logging on as Linux root. It is also true that I see XP hacked more often than Vista. The fact is the UAC WORKS and makes people THINK! You don't see it contstantly in Vista, only when installing apps or launching certain apps from a link like Google Earth. It is very easy to know why you are seeing the UAC. I use my PC 8-12 hours A DAY and I rarely see any UAC prompt. Oh yeah, did you know, YOU CAN ALSO TURN IT OFF and Vista will act just like XP and run anything you tell it to.

RFink
RFink

to the Linux Hall of Fame for single handedly getting more people to switch to linux. :)

Betelgeuse58
Betelgeuse58

that wants to stay in a particular business!!! I'm GLAD I didn't "upgrade" to Vista! However, I AM Migrating to Linux! :D

dmc123
dmc123

Ok.. So I click on control panel -> system -> advanced and UAC prompts me for confirmation. Its true...and this annoys me to no end (I turned UAC off). Why should I have to confirm an action that I just initiated with a mouse click ? Since I'm so annoyed, then MS must be right ! The vendors should right better software. OK MS... Please rewrite getting into control panel so that UAC does not annoy me ! I doubt very much that UAC was written to annoy people and the MS person who made such a claim must be an idiot. UAC was written to provide tighter security and since it was so poorly thought out, it is an annoyance that folks either turn off or if they don't know how they just blindly accept everything UAC throws at them.

Forum Surfer
Forum Surfer

UAC is nowhere close to being as obtrusive as ZoneAlarm or other popular 3rd party firewalls that give you pop ups way more often. What's the big deal with a few extra pop ups? It doesn't bother me at all and I run Vista enterprise 64 bit at home and on my primary testing pc at work.

Andy J. Moon
Andy J. Moon

Microsoft is certainly using their power in the software industry to try to improve things all over, but what gives them the right? Microsoft will say that they are simply doing what their market power gives them the obligation to do: make sure that software is as secure as possible. Does the end of more secure software justify the means that Microsoft is using with UAC?

shardeth-15902278
shardeth-15902278

Assuming that really is the truth, they deserve some credit for putting their necks on the block in the name of security. I have often found myself baffled by some programs that would require admin priv's and a reboot after install. They were simple programs, that needed no low level hooks, what were they doing that needed these? If UAC's primary function is as recently advertised, then props to them for taking in on the chin in an effort to get themselves and other companies to clean up their crappy code. (I'm not going to comment on whether it was a good idea, I am on the fence with respect to that.)

HAL 9000
HAL 9000

In 5 years time if 7 hits the streets on Schedule I think that you'll find Vista is the ME of M$ current Generation of Products. We don't need more Eye Candy or useless applications built into the Kernel we need a stripped down fast OS that runs our Software the ones that we want to run not the ones that someone else tells us to run as they are the ones making the money off them. Look at how much of the System Resources that are chewed up by the GUI in Vista and then honestly say that you prefer that over speed of your Applications producing Results. Given the choice if I have to go to a High End Computer I want it to produce the End Results Fast not look Prerty and take as long to do the same thing as the older Slower Hardware is doing. I want to see an Improvement over what I have and Vista just doesn't do this in any way shape or Form. UAC if anything makes Productivity even worse than it should be and works in a way that was never asked for by those who bothered to respond to M$ prior to any Code at all being written for Vista. Just remember that ME had a product Launch about the same time difference from XP and look which one ended up being acceptable to the Masses not just the IT Crowd. Col

drutledge
drutledge

Linux has a far more granular security model than Windows. You aren't forced to make someone an admin just so they can do one useful task. Not so in Windows. Don't blame programmers for the Windows security model or for trying to make useful programs. Blame Microsoft for bundling dozens of privs into the admin account that just aren't available anywhere else. You could also blame them for providing the API's that require the privs in the first place. If they were to break out all available privs and make them accessible through the local security policy MMC snap-in (or gpedit), we wouldn't have to tolerate over-privileged users. UAC is just the latest example of MS' spin machine. They claim it enhances security but it does so by forcing third party developers to reduce functionality to eliminate the UAC nags. If the underlying OS wasn't a security sieve, if it wasn't burdened with Window 3.1 compatibility layers and kernel code a decade old, if the users weren't running in Ring 0, or if they ever really fixed any root cause, there wouldn't be a need for UAC. The immediate goal of UAC is to provide a false sense of security: Gee, I had to click twice to do something, I'm so secure! No hacker could possibly think of clicking twice! (Or automating the clicking?) Wait a minute - I wasn't forced to authenticate, I just clicked a button. How does Vista know that I clicked the UAC button since it apparently didn't know if it was me that clicked the button that made the UAC button pop up in the first place? Oh no! UAC's ultimate goal is the same as always - to give MS products an unfair advantage in the marketplace. It will be used to make competing products seem less secure than MS products, even though they are not.

Tony Hopkinson
Tony Hopkinson

why bother with Vista at all? I love it's the programmers fault bit. You must be new. Programmers do what they are told by the people who pay them..... Making our stuff Vista compatible took about a man month. If the business hadn't seen a marketing advantage to badging up, it wouldn't have happened. Don't even get me started on what they teach programmers about writing secure code....

Forum Surfer
Forum Surfer

Such poorly written programs (not that I could d it better, not a programmer!) are the reason local admins have barely any right on my machines through group policy. I spend tons of time figuring out exactly what read/write operations the programs run and grant local admins the rights to said directories. It's a major PITA unless you're just going to grant people that use certain programs admin rights...but then you're creating all the security risks everyone talks smack about. Windows isn't that bad, it's as insecure as make it or vice versa. At the end of the day it gets the job done just like any other os and it causes problems and headaches for admins...just like any other os. UAC seems to be a last ditch effort on microsoft's part to make people stop writing code that requires admin privs. I don't blame them.

The Scummy One
The Scummy One

my main reason for moving more over to Linux was Vista!!!

JCitizen
JCitizen

All those opposed say Aye?

eriksimonhelberg
eriksimonhelberg

UAC i mean come on. A duh if it is written by microsoft as most of the control panel is why does it ask you to verify the vendor a duh! I also have it turned off. Why bother just a pain in the ass.

wayoutinva
wayoutinva

Security right..So when so & so software won't run unless it has admin rights, and a hacker uses that flaw to get in, I guess thats MS's fault right. Isnt security the reason so many of you have moved away from MS to Linux, Mac etc. And when you log into those systems, what do you log in as..Admin or regular user..see where I am going with this..MS has been urging software developers to quit writing that require admin rights. I guess they are tired of asking. Make it a pain-in-the-a$$ and somebody hopefully finally gets the point. I am not a MS lover, but put the blame where it correctly lies. If developers were writing code correctly, the UAC would probably have been a non-issue. MS still needs to work on its own stuff as well..

Ed Woychowsky
Ed Woychowsky

The difference is that ZoneAlarm has an option where you can grand permanent privileges to a program. After that, the only time that will pester you is when a new version is installed. However, Vista doesn?t have this ?feature,? one must approve a program again and again. On the plus side, UAC is one part of Vista where everyone agrees that it works as designed.

Tony Hopkinson
Tony Hopkinson

wasn't for the world it was for MS. The only way to make Vista acceptable is to write applications that work within that security model. Which incidentally is the one proper multi-user - multi tasking OSes have been using for decades. UAC was the biggest single step they dared take towards proper privilege separation. Given all the crying and honking there has been about it, going whole hog and doing it properly would have made Vista pretty much unacceptable to anybody for two years plus. There is still alot of code that doesn't use the XP security model, because they made it too easyto ignore. F'all to do with altruism I assure you.

foringmar
foringmar

Hmm? I seem to recall that XP was originally marketed as being the most secure OS of all times. Until there was some huge headlines about the biggest security hole of all times. I do not trust M$ security efforts anymore.

drutledge
drutledge

Just what opt-in did I agree to that lets MS spy on my mouse clicks? (And where to I go to revoke it?) So what is to prevent them from popping up a User Annoyance Clickbox (UAC) whenever any software that they don't sell tries to run? Hey Justice Department, European Union, they're doing it again! Kick them once for me.

drutledge
drutledge

If this "feature" did anything to address the core issues, I'd give them credit, too. However, if they can't tell the difference between an on-click action that I initiated through the GUI from a buffer overflow in one of the 100,000 or so vulnerable points in their code, then I really don't think that User Annoyance Conditioning is going to help, other than to provide another useless and expensive security blanket. When did you last see a hacker from Russia come in to your computer room and start clicking buttons on your desktop? Hasn't happened here more than once or twice. What are the primary vectors for hackers? IE, Outlook Express, and the various MS network services. I've never encountered a single instance of UAC warning me of malicious attempts to exploit the network interface or services. It seems to be interface driven and unable to complain about anything but user-initiated actions. Will UAC keep users out of Ring 0 or move the GDI out of the kernel? Will it address any real security issue? No, No, & No. It's sham security. They never go in and refactor kernel code. They just slap a patch on the entry point, if and only if there is a proven exploit. They ignore identical vulnerabilities in the same code for two reasons: 1. They worry that fixing bad code will break other poorly written MS code that depends on the bad code. 2. Their developers are allocated a fixed amount of time per bug, and if they fix all 16 bugs in the same code block they'll be giving up 15 free weeks of work. (Seen it) In short, nothing running in a user's context is going to make Vista more secure. The faults lie in the kernel and native Windows services that date back to Window 3.11. Until they rebuild their code base from the ground up, Windows will remain unsecurable and annoyng users is just... annoying. It ain't security. But them, I'm sure that Mike Howard, Mark Russinovich, and Dave LeBlanc have told them that at least ten thousand times by now, and since they don't listen to them, why would they listen to us?

michael.baldelli
michael.baldelli

The first set of thoughts that I had after reading this days ago at other news and discussion sites was that this is like a bunch of programmers trying to turn a bug into a feature, and an annoyance into a Value-Added Option. I don't believe a word of it as being "intentional". It sounds unintentional and they're trying to market it as a security feature.

T.wizzard
T.wizzard

But wouldn't that be like the fox watching the hen house? Seems they should clean up there code before worrying about others code....

Shellbot
Shellbot

however.. there are two issues here aren't there.. home users VS IT users.. my brother likes vista, he doesn't know nor care its resource heavy, cause all he does is use facebook, download music etc.. i'm just trying to say that because 10% of the population wants something one way, the companies will always cater for the other 90% right.. yes it will probably be the ME..and we got XP after ME..so maybe some of the problems will be solved with the next generation of Vista?

coatsfc
coatsfc

Is that a programming term or what? As for your employer making you write the code if you wrote code that corrected your apps ability to work with Vista wouldn't they reward you (pay)? And who are you talking about teaching you what? If your employer hired you don't you think they are assuming you know what you are doing? And isn't there still such a thing as self-improvement?

Shellbot
Shellbot

because if you bought a new computer anytime in the last year it came with!!! :) as for secure code..many can't be bothered.. many don't know how to..or just don't care..

drutledge
drutledge

OK, let's do that. How about with Microsoft for bundling dozens of otherwise inaccesible user rights into the admin account and forcing users into an all or nothing choice? Why do they still restrict access to those privileges to the use of the same old built-in roles they had in NT 3.5? Why haven't they been exposed as discrete rights in the local security policy? Oh, yeah, and whose API's are the ones that require that level of accesss anyway? You guessed it, they are Microsoft's. This is more about MS wanting third party developers to forgo the use of useful functions than it is about security. (Unless you have you seen any popups on your Vista 64 box that said "Permit buffer overflow in nt.dll Yes/No?", that is.) It's easy to hate arrogance, and when you bundle massive arrogance with an equally massive dose of incompetence, well, that answers your question, does it not?

Shellbot
Shellbot

and not thinking of the right "feature"?? Because on my Vista machine, when the box pops up, it has several options in a drop down..one is to "allows allow this".. I don't think i've had a pop up in months..

coatsfc
coatsfc

Somebody might here you tell the informed truth. I agree with you about patching the underlying system and slapping "lipstick" on a pig. If they would fix it correctly the first time they wouldn't have to send out so many patches but then again as you said their programmers would be out of a job.

shardeth-15902278
shardeth-15902278

I am trying to accept it at face value, but quite a number of the voices in my head keep mumbling something about marketing spin.

shardeth-15902278
shardeth-15902278

But then I believe the MS guy did include developers within MS as part of the target group. That is also primarily why I am on the fence, actually. The implication is MS is defining the standard for secure coding (which makes sense, it is their OS after all. they have a right to set the standard, so long as they fully document and disclose it). While there are some cases where lazy programmers fail to follow the standard, there are other cases where MS moves the standard around, and/or fails to fully disclose the API's, making it difficult/impossible for third party developers to follow the 'standard'. I give them props for taking the heat, but I'm not at all sure they are mature enough to take on the responsibilty.

Shellbot
Shellbot

I'm just playing devils advocate a bit. As I said, I have Vista (business) and I'm ok with it..a lot of people really actually don't give a toss..a lot of people do.. i hope they fix up the things they got wrong..but how long will it take? Do I wish my machine was XP? Yes..Am I heartbroken its not..No. At the end of the day I'm going to take it and run with it. In the name of progress I will preservere.. :)

The Scummy One
The Scummy One

there are more than just home and IT users. Ok, for simplicity there are basic users advanced users gamers power users support users each having a different level of knowledge. Your brother appears to be more of a basic user, and he could use anything for an OS. An advanced user more often needs to know more about the filing structure, and more applications. As for Vista, more than 10% have already made up their minds. MS isn't/hasn't made the OS for the masses, they made it to what large companies wanted, then added a few bells and whistles and screwed around with many things to make it less friendly for anyone that uses more advanced functions of the OS. They then decided for marketing that they would change what functions were available in Home edition, and stripped some out, changed others so what you get for home basic is not good enough. This requires an upgrade or new license to obtain the items wanted. So, will Vista be another ME, I cannot say but it appears likely. Will Win 7 be better, I would guess so, if MS is watching what is happening with the Vista flop. But here is something for you. We didnt just get XP after ME, ME was the END of the 9x product line. It was meant as an interim replacement for people who did not want to move to Win 2k. It was meant not to last long, and there were few big reasons to move to it. XP was the new version for home users based on 2k, however 2k had already been out for quite some time and heavily used in businesses. In this way, XP was able to move easier into the home computing environment. Vista was handled all wrong in this manner, and it is biting MS in the a$$ now...

Tony Hopkinson
Tony Hopkinson

A man month is the resource equivalent to one person working for one month or for the mathematically astute two people working for half a month each, consecutively, concurrently or overlapping. I get paid to code what they tell me to code. Fix a security hole, make it vista compatible, add a new spangly button, a new feature... Same rate of pay for all. I do know what I'm doing, what I'm not doing, what I can do and what I can't do and why. Unfortunately many do not. My point about coding securely, was have a look at the certs and degrees for 'programming' then have a look for where they mention security concerns..... Not a lot is it? Fresh out of university, they don't know what a parameterised query is, why it's better and a sql injection attack is a KGB assassination ploy. No self improvement is dead, it upsets people, we should stick to the station we were born to and stop causing HR problems with our ceaseless whining for more. :p I'm not sure who rattled your cage, but if you ever take up marksmanship, get your mates to stand in front of the target, they'll be in less danger....

BlazingEagle
BlazingEagle

The type & AMOUNT of updates is when I have problems. Nothing is perfect & some updates are unavoidable, but there are times when some "updates" shouldn't be necessary to begin with. Some in the tech community are so caught up in lambasting MS, that their brains are mush.

Shellbot
Shellbot

yer lucky it was quittin time or I woul dhave really wound ya up in my last post!! ]:) Moving forward with new products is always painful..but if they didn't give us soemthing new every once in a while we'd still be using punch cards..the next generation of users will not know anything but Vista and will accept it for what it is, flaws and all.. Frankly, if I owned/ran a company as big as MS I really wouldn't give a flying feck what you or I thought...I'd be too busy drinking Cosmopolitans on a white sandy beach.... :)

shardeth-15902278
shardeth-15902278

This last round of updates, there were 6 updates for Windows XP, but for Vista, there were only 8!!... Oh, wait... err... ;)

HAL 9000
HAL 9000

But what's the excuse of the M$ developers who write this stuff? I know that I asked for UAC but not as it appears in Vista. Someone messed up big time with making it work in a way that wasn't asked for by the millions of people who M$ Asked. As UAC currently stands it looks like someone gave the approval to implement this during the Development stage of Vista and then some Idiot Marketing Type came along and said [b]Great Idea lets make it do this & that as well.[/b] End result is that like all the rest of M$ products it does nothing at all well. Security out of the Box is the Biggest Joke that I've ever heard from the M$ Marketing Types. :D Col

BlazingEagle
BlazingEagle

Do these companies not beta test their software & software updates? Sheesh! I know they do, but you get the idea. Obviously nothings perfect but sometimes, I wonder how how stuff like this gets past testing.

drutledge
drutledge

Not you. Them. Microsoft. The Evil Ones. The ones we hate enough to criticize when they deliberately annoy us and then brag about it. MICROSOFT - see also: The Lesser Satan. The Evil Empire, Inc. The Masters of Monopoly. The Proliferators of Patches. The Hackers' Best Friend. The Bloggers of Bloat. Even their address is arrogant: One Microsoft Way, Redmond, WA.

Forum Surfer
Forum Surfer

I didn't realize that by not hating Microsoft I was arrogant and incompetent. My mistake!

drutledge
drutledge

Was trying to respond to the "why do everybody hate M$" comment. oops. Sorry.

wayoutinva
wayoutinva

MS needs to fix its own stuff as well. Some of the offending programs have turned out to be MS products as well..So yes they need to clean their own house..The best example I know of is Autocad. It used to require that a user either be an admin or at the very least a poweruser because of where Autodesk had chosen to safe certain files...Network admins pulled their hair out over that. Well Autodesk re-wrote where the software puts files and a couple of other tweaks and what do you know, a regular (restricted)user can run the software just fine now...no more admin rights required. If they can do it so can the other developers. I never said the UAC was a great idea and it probably is very counter productive to what the actual plan was..

Ed Woychowsky
Ed Woychowsky

I turned it off too, but I'm amusing myself with Microsoft bashing. :)

coatsfc
coatsfc

This is the MS bashing forum. UR ruining it. I agree though because when I turned it off it stayed off and I haven't received a popup since.

JCitizen
JCitizen

if it had actually identified the culprit that was causing the problems. I don't run Vista yet but my customers lead me to believe the messages were rather cryptic. After the WGA debacle, I'm not in the mood for MS nagging.

Editor's Picks