Despite Microsoft’s efforts to make its User Access Control (UAC) security prompts less annoying, many users are still turning it off and in doing so helping thieves do their job, according to Microsoft.
“About 23 percent of computers reporting detections in a day had UAC disabled,” said Microsoft’s Trustworthy Computing Centre blogger Joe Faulhaber on Wednesday.
Microsoft introduced UAC through Windows Vista three years ago which triggered an alert any time an application -- with good or bad intentions -- attempted to elevate its privileges to administrator level. Its over-zealous reporting however caused many to willingly turned off a critical security feature that promised to change how developers wrote software and consumer security awareness.
Part of the problem was that Microsoft’s developer community were not writing applications to comply with that security rule, thereby contributing to the frustration felt towards the system.
Microsoft executives at the time admitted UAC was designed to “annoy people”, according to Ars Technica, but some in the security industry warned it could create a “cry wolf” syndrome, which would blind users to real security threats.
During a tour of Australia in 2008, Microsoft’s head of Trustworthy Computing, Scott Charney, acknowledged that “clearly work has to be done” on the feature.
That has happened, according to Faulhaber, who said that the bulk of legitimate software developers had rewritten their software to “not require elevation prompts”. But user perceptions have not caught up.
“Unfortunately, many Windows users have disabled UAC,” said Faulhaber.
Having UAC turned off was exactly what malware writers had sought to build into their software ever since Microsoft introduced UAC, according to Faulhaber. Only now, their attention to it is increasing and to such an extent that Microsoft has created tools in its own security products, such as Microsoft Security Essentials, to detect when malware attempts to change UAC settings.
“The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate,” said Faulhaber.
All the major malware families, including the Sality virus, Alureon rootkits, Autorun worms, and banking trojan Bancos, had variants that turned UAC off.