Microsoft has announced that it will be fixing a UAC security flaw in Windows 7, but the new system still leaves open one of the biggest security holes: people.
A few days ago, I mentioned that Microsoft was getting some flak for a security flaw in Windows 7’s implementation of UAC. In an effort to cut down on superfluous prompts, the default in Windows 7 is to not warn users about changes to system settings. The problem is that UAC’s settings are system settings, so a crafty hacker could silently silence UAC. The hacker’s code can now elevate to Administrator privileges without warning, thus defeating the whole point of UAC.
Microsoft’s initial attitude was that this is how things should work, much to the consternation of many developers. Yesterday, the company relented; UAC settings will now be a special case that always requires user approval in the form of that dreaded UAC prompt.
That’s all fine and good, but it doesn’t address social engineering, which is still one of the biggest problems facing desktop applications. The MSDN blog entry addresses this without quite emphasizing it:
We have also heard of security concerns that involve multiple steps to demonstrate a potential exploit. It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else. We will treat very seriously the ability to get code on a machine and run without consent.
The problem is that users tend to consent to everything. It’s a well-known phenomenon, and even most power users tend to power through confirmation prompts with just a cursory glance. Having used Vista and Windows 7 as my primary OSs, I can say that the UAC prompts are not all that helpful —they tell you that something needs Administrator privs, but that’s a very broad statement. Click “yes” for enough installers, and you may not notice when UAC actually catches something.
Perhaps what’s needed is a two-tier UAC prompt that distinguishes between commonly-used privileges and rarer or more critical ones. Most actions will get the basic prompt, which would look much the same as today’s UAC, but the higher-importance prompts would warn users that unless they really know what they’re doing, “no” is probably the safer bet.
In other words, don’t just give the dry facts: help people interpret them. The Achilles heel of most prompts is that users don’t know what to do with them. A two-tier system would solve this by telling users, “it’s probably safe to confirm if you trust this vendor” or, “if you don’t really know what this means, we suggest denying the request.”