Symantec: Vista UAC Is Still Too Chatty

 
 
By Matt Hines  |  Posted 2007-01-12
 
 
 

Symantec: Vista UAC Is Still Too Chatty


In positioning itself to provide aftermarket applications for Microsofts Vista operating system, anti-virus market leader Symantec is highlighting some shortcomings it believes to exist in the new platforms own security tools.

Among the conclusions of a presentation delivered to the media during the week of Jan. 8 by Symantec Vice President of Engineering Rowan Trollope is the software makers finding that the UAC (User Account Control) feature of Vista, a security innovation highly touted by Microsoft, remains unwieldy and confusing to users.

UAC is designed to help Vista limit malwares ability to escalate an individual PCs user privileges, a common technique used by code writers to spread their viruses from one machine to another.

Integrated with Vistas other onboard security technologies, the system is set to prompt users whenever a program attempts to change its status on their machines, thereby lowering the chances of hidden threats to operate on PCs running the OS.

Symantec, based in Cupertino, Calif., contends that UAC is too disruptive and hard for common users to understand, as well as a potential new headache for corporate IT administrators. This echoes criticism leveled at the feature when Vista was still in the beta development phase during early 2006.

Trollope said that the problems that remain with UAC—namely that it produces too many pop-up security warnings that use overly complex technical language—will give Symantec an opportunity to build products that help manage the system for Vista users.

"What weve heard from our customers is that UAC is pretty noisy, that it comes up with a lot of messages for end users," said Trollope. "People generally dont have a lot of experience with it yet, but when we talk to anyone using the [Vista] betas, they tend to think its somewhat onerous."

Beyond hassling people too frequently, and potentially creating new help desk requests in the corporate setting, Trollope said UAC might be so difficult that it defeats its very purpose in protecting end users.

"The danger with this is that if you are asking people these questions too often, and doing so in terms they may not understand, they tend to tune the feature out and turn it off," Trollope said.

Vista upgrade is a long way off, say IT pros. Click here to read more.

"We know people are doing this, and it presents a concern because you dont want a door lock thats left open because its too hard to unlock."

Unlike the controversy that raged between Symantec, rival McAfee and Microsoft over the level of kernel access the OS maker would grant its security partners in Vista 64-bit, the UAC issues are being positioned by Symantec as a business opportunity versus a fundamental flaw in the product.

Symantec is pitching its ability to add an "extra layer of intelligence" to UAC in yet-to-be-developed security applications that it said will be developed in cooperation with Microsoft.

Next Page: Microsoft stays friendly.

Microsoft Stays Friendly


Symantecs approach to the alleged Vista shortcoming may signal how the company will market its future products abilities to augment Microsofts platforms now that the OS giant has built its own security tools and is moving aggressively into Symantecs home turf.

And rather than Microsoft taking a combative tone with Symantec, as it did in the early days of the kernel patch protection debate of 2006, the software giants response to the UAC criticism appears to defer arguments over the limitations of the feature to avoid further in-fighting.

"We believe UAC is a good solution to help limit the impact of malware attacks, installation of unauthorized software, and unapproved system changes by making it easier to use Windows without administrator privileges," said Stephen Toulouse, senior product manager with Microsofts Security Technology Unit.

"If the user decides they do not want to run UAC and they would rather run a third party solution that provides similar functionality, they do have the choice to disable it."

One of the first people to highlight potential issues with UAC was Andrew Jaquith, analyst with Boston-based Yankee Group. In May 2006, Jaquith published a research report that suggested some enterprises might delay adoption of Vista until Microsoft had improved the feature.

VeriSign offers hackers bounty on Vista, IE 7 flaws. Click here to read more.

After the report was widely publicized, Microsoft officials pledged to tone down the frequency and complexity of the user prompts generated by UAC, but the analyst said that despite making improvements to the feature, it will be hard for some people to get used to the tool.

"Microsoft has taken a lot of the early feedback to heart and made some very good improvements, but, any interruption to user experience, no matter how infrequent, is still something different than what most users are comfortable with," Jaquith said.

"How much chatter is too much or too little wont be figured out for a while, UAC clearly needed to be improved, and Microsoft did that, but they will probably need to do more."

Others industry watchers agreed that some users are complaining that Vista UAC remains too noisy, and observed that such issues will provide opportunities for companies like Symantec to market security applications that build on Vista features.

And while Microsoft and Symantec will likely become even more heated rivals in the security space as they mature their respective products, it is important for users installing Vista to have the companies remain on good terms, said Natalie Lambert, analyst with Forrester Research, Cambridge, Mass.

"Microsoft is going to push further into the security arena just as Symantec is going to push further into the desktop management space, but they need each other, at least for today," Lambert said.

"Today Microsofts security products are at a severe functional disadvantage, but Symantecs applications will always run on Microsofts software; at the end of the day they will increasingly compete for the same dollars, but for now everyone has to play nicely."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.

Rocket Fuel