John Pescatore, a security analyst with Gartner, said he wouldn't fault Microsoft for making the change, and sticking to it. "UAC in Vista was universally hated," he said. In fact, Microsoft's biggest operating system rival, Apple Inc., used that dislike to poke fun at Vista in its television advertising campaign.
"From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get 'click fatigue,'" Pescatore continued, referring to users who grow tired of answering prompts, or give those prompts short shrift. "Everyone hated it."
By toning down UAC, Microsoft is making Windows behave more like Apple's Mac OS X, said Pescatore. Mac OS X prompts users for an administrative password for some tasks, primarily before allowing a program's to install. "What Microsoft's doing here is not far from what the Macintosh does," he said.
Rivera, however, took exception to DeVaan's reasoning about why Microsoft doesn't consider the UAC problem a security vulnerability. "I'm concerned Microsoft is relying too heavily on external security mechanisms in Windows 7," he said via instant messaging Thursday. "With UAC weaker in Windows 7, I feel as if we've regressed back to having only a single layer of security. Once a border application becomes comprised by Windows 7-targeted malware, it's game over."
DeVaan, on the other hand, dismissed the concerns of Rivera, Zheng and others, saying that the default setting of UAC does not constitute a "security vulnerability" because "the reports have not shown a way for malware to get onto the machine in the first place without express consent." He then went on to argue that UAC is not a "security boundary" in Windows.
But in an interview Wednesday about problems with UAC's "auto-elevate" -- the technique Microsoft used to decrease the number of prompts -- Rivera said: "I understand 'something else' has to be breached," he said. "I hear Microsoft loud and clear here. The problem I have is that in Windows 7, a user can have malware that can break its [standard user] confinement to do administrative-level damage to the machine."