In his review of the February Community Technology Preview release of Microsoft Windows Vista, Paul Thurrott had some discouraging news of how User Account Protection had been implemented.
Modern operating systems like Linux and Mac OS X operate under a security model where even administrative users don’t get full access to certain features unless they provide an in-place logon before performing any task that might harm the system. This type of security model protects users from themselves, and it is something that Microsoft should have added to Windows years and years ago.
Here’s the good news. In Windows Vista, Microsoft is indeed moving to this kind of security model. The feature is called User Account Protection (UAP) and, as you might expect, it prevents even administrative users from performing potentially dangerous tasks without first providing security credentials, thus ensuring that the user understands what they’re doing before making a critical mistake. It sounds like a good system. But this is Microsoft, we’re talking about here. They completely botched UAP.
The bad news, then, is that UAP is a sad, sad joke. It’s the most annoying feature that Microsoft has ever added to any software product, and yes, that includes that ridiculous Clippy character from older Office versions. The problem with UAP is that it throws up an unbelievable number of warning dialogs for even the simplest of tasks. That these dialogs pop up repeatedly for the same action would be comical if it weren’t so amazingly frustrating. It would be hilarious if it weren’t going to affect hundreds of millions of people in a few short months. It is, in fact, almost criminal in its insidiousness.
As if that wasn’t bad enough news, yesterday Paul posted a review of the latest build of Vista (builg 5365) and the previous version of account protection appears to have been made even worse.
In build 5365, UAP has changed dramatically. (This is the one major change I noted previously.) However, none of the changes are related to making this feature less annoying. Instead, it’s been changed to obviate a potential security vulnerability in the original UAP implementation. Now, UAP consent dialogs open in a new environment called the Secure Desktop, where most of the screen goes black and only the consent dialog is available. This forces the user to deal with the dialog before doing anything else. So not only is UAP annoying, but now you can’t even get something else done until you deal with it.
My sources tell me that the security team at Microsoft were able to develop a proof of concept cursor spoof attack that hid the real cursor under a fake one, letting exploit code click the Allow button when the user thought they were clicking Cancel.
All this is not giving me a good feeling about the possibilities of improved security in Vista, whenever it might actually ship.