Microsoft Corp. changed the default settings of one of its most important security features for Windows 7 because users balked at clicking more than two prompts a day, a company executive said today.

According to Jon DeVaan, the senior vice president responsible for Windows’ architecture and core components, the company changed User Account Control (UAC) in Windows 7 because data showed that users got ticked off when they were asked to deal with more than two UAC prompts in a day.

Responding to mounting criticism of the changes Microsoft has made to UAC for its still-in-development Windows 7, DeVaan said that the company studied how people reacted to the security feature, which debuted in 2007 with Windows Vista.

“In making our choice for the default setting for the Windows 7 beta, we monitored the behavior of two groups of regular people,” said DeVaan in a long entry to a company blog. “Half were set to ‘Notify me only when …’ and half to ‘Always Notify.’ We analyzed the results and attitudes of these people to inform our choice.”

The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. “If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer,” DeVaan said.

That, in turn, led Microsoft to boost the number of UAC settings in Windows 7. In Vista, users could either turn UAC off or leave it on; Windows 7 adds “Notify me only when programs try to make changes to my computer,” and uses that as the default.

And therein lies the rub.

Some users and developers have questioned the default setting. Last week, a pair of Windows bloggers, Rafael Rivera and Long Zheng, published a simple proof-of-concept script that demonstrates how hackers can easily disable UAC entirely without the user being the wiser. Their recommendation is to reset Windows 7′s UAC to the highest level of warning, “Always notify me when,” which is essentially mimics the behavior of the security feature in Vista.

Although DeVaan stopped short of saying Microsoft would not modify the default setting for UAC in Windows, he hinted that it would stick to its guns. “We are very happy with the positive feedback we have received about UAC,” he said today.

That confirms what a company spokesman said yesterday, that Microsoft would not roll back UAC to the more persistent prompting found in Vista. “No, Microsoft has not reverted Windows 7 UAC’s behavior to mimic Windows Vista,” the spokesman said when asked to clarify a fix the company said it has made to another reported problem in UAC.
John Pescatore, an analyst at Gartner Inc., said he wouldn’t fault Microsoft for making the change and sticking to it. “UAC in Vista was universally hated,” he said. In fact, Microsoft’s biggest operating system rival, Apple Inc., used that dislike to poke fun at Vista in its television advertising campaign.

“From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get ‘click fatigue,’” Pescatore continued, referring to users who grow tired of answering prompts, or give those prompts short shrift. “Everyone hated it.”

By toning down UAC, Microsoft is making Windows behave more like Apple’s Mac OS X, said Pescatore. Mac OS X prompts users for an administrative password for some tasks, primarily before allowing a program’s to install. “What Microsoft’s doing here is not far from what the Macintosh does,” he said.

Rivera, however, took exception to DeVaan’s reasoning about why Microsoft doesn’t consider the UAC problem a security vulnerability. “I’m concerned Microsoft is relying too heavily on external security mechanisms in Windows 7,” he said via instant messaging Thursday. “With UAC weaker in Windows 7, I feel as if we’ve regressed back to having only a single layer of security. Once a border application becomes comprised by Windows 7-targeted malware, it’s game over.”

DeVaan, on the other hand, dismissed the concerns of Rivera, Zheng and others, saying that the default setting of UAC does not constitute a “security vulnerability” because “the reports have not shown a way for malware to get onto the machine in the first place without express consent.” He then went on to argue that UAC is not a “security boundary” in Windows.

But in an interview yesterday about problems with UAC’s “auto-elevate” — the technique Microsoft used to decrease the number of prompts — Rivera said: “I understand ‘something else’ has to be breached,” he said. “I hear Microsoft loud and clear here. The problem I have is that in Windows 7, a user can have malware that can break its [standard user] confinement to do administrative-level damage to the machine.”

Nearly 20 technology companies and organizations are combining forces to disrupt the command-and-control infrastructure of the rapidly spreading Downadup worm, prompted by infection rates of nearly 2.2 million machines each day.

Firms, including Microsoft Corp., Symantec Corp. and VeriSign Inc., have joined ICANN, the nonprofit group that manages the Internet Domain Name System, to preemptively register and remove from circulation the Internet addresses that the worm’s controllers use to maintain their hold on infected machines, said Gerry Egan, director of product management in Symantec’s security response group.

Separately, Microsoft has offered a $250,000 reward for information that results in the arrest and conviction of the hackers who created and launched the worm.

Although Microsoft launched its hacker bounty program in 2003, it has rarely used the $5 million it set aside at the time. The last time it offered a reward was in 2004, when it posted a quarter-million-dollar bounty on the maker of the Sasser worm. A German teenager was arrested in May 2004 and charged with creating Sasser. The following year, Microsoft paid out the reward to two people who helped identify the hacker.

Perhaps not coincidentally, security researchers — including those at Symantec — have recently drawn comparisons between Sasser and Downadup, which also goes by the name “Conficker.” Much of those comparisons relate to the size of the current attack, as well as the fact that the worm targets a wide-scale Microsoft vulnerability.

To stymie Downadup, the coalition plans to either pre-register or remove from circulation as many of the 250 different domains that the worm uses as possible, said Egan. “We’re working with the domain registrars to take them out,” he said. “It’s a combination of registering the domains and removing them from circulation.”

Once it has infected a PC, Downadup generates a list of 250 possible domains — the list changes daily — selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. Symantec and other security vendors, including Helsinki, Finland-based F-Secure Corp., have been preemptively registering some of those domains for weeks. They have then monitored the domains to get an idea of the worm’s back-end processes and to track its spread.
Symantec has used that approach to gauge the current strength of the worm. According to Egan, over the last five days, Symantec has monitored an average of 453,000 different IP addresses infected a day with Downadup.a, the original November version, and 1.74 million more IP addresses infected a day with Downadup.b, the more virulent variant that debuted in late December 2008.

Together, the two versions have infected an average of nearly 2.2 million PCs daily.

Egan declined to say whether the group would be able to completely disable the worm’s control mechanism, but said the consortium’s formation does not mean that researchers have new information about what malicious tasks the infected PCs might be told to perform. “We have no indication of its purpose as of yet,” he said.

Even so, Symantec sounded worried.

“The millions of systems infected by Downadup pose a risk to Internet users as well as to the infrastructure of the Internet,” the company said in a long post to its security blog. “Under the control of attackers, the millions of infected systems could be used to launch distributed denial-of-service attacks against specific users or organizations, crippling their ability to function on the Internet. Additionally, the infected systems could be used to deploy further threats, such as seeding a new worm that targets a more recent or undisclosed vulnerability.”

Last month, Microsoft refreshed its Malicious Software Removal Tool (MSRT), an anti-malware utility that cleans infected Windows PCs, with a signature for Downadup. Microsoft rarely reacts with a new MSRT signature as fast as it did in January.

The company has not responded to a questions about how many PCs the MSRT has scrubbed of Downadup.

While Downadup uses several attack strategies — including using USB storage devices, such as flash drives, to spread — one of its primary infection vectors is by exploiting a Microsoft vulnerability that the company patched with an “out-of-cycle” update in late October 2008.

Microsoft Corp. has denied that it makes money when users “downgrade” Windows Vista to the older XP, as a lawsuit filed last week alleges.

The lawsuit, submitted to a Seattle federal court last Wednesday, stems from the $59.25 fee that a California woman was charged in mid-2008 when she bought a Lenovo laptop and downgraded from Vista to XP.

“Microsoft does not charge or receive any additional royalty if a customer exercises those [downgrade] rights,” said Microsoft spokesman David Bowermaster in an e-mail late last week. “Some customers may choose or need to obtain media or installation services from third parties to install the downgrade version.”

In fact, it’s computer makers, not Microsoft per se, who charge users the additional fees for downgrading a new PC from Vista to XP at the factory. Dell Inc., for example, adds an extra $20 to the price to downgrade a PC.

Microsoft, however, may profit from the way it structures downgrade rights. Only buyers of PCs with pre-installed editions of Vista Business and Vista Ultimate can downgrade, and then only to Windows XP Professional. All three editions are higher-priced versions of their respective lines, a fact that the lawsuit mentioned in passing.

“Customers have been forced to purchase the most expensive version of [Windows XP] in order to ‘downgrade’ from the Windows Vista operating system,” the complaint read.

That was the cause of some confusion last year, when Dell Inc. was accused of gouging customers by charging $150 to downgrade a new computer to XP. Dell, however, countered that although it did charge $20 to install XP on the machine, as well as to cover the cost of the additional media, the bulk — $120 of the $150 — was the price of upgrading the PC from the standard Home Premium to the more expensive Business edition.

Microsoft does not offer downgrade rights with its Vista Home Premium, the most popular of Vista’s editions.

“Microsoft mandates that customers who want to downgrade to XP must purchase the license to Vista Business or Vista Ultimate,” said Dell spokesman David Frink last December. “[That's] typically about a $130 premium, though some retail outlets charge more.”

“Downgrade” describes the Windows licensing rights that Microsoft gives users, who are allowed under some circumstances to replace newer versions of Windows with an older edition without having to pay for another license. The practice became popular last year when users, unhappy with Vista’s performance on the new PCs they bought, instead sought ways to run the leaner XP.

The lawsuit, filed by Los Angeles resident Emma Alvarado, charged Microsoft with multiple violations of Washington state’s unfair business practices and consumer protection laws through its policy of barring computer makers from continuing to offer XP on new PCs after Vista’s early-2007 launch. She claimed Microsoft’s practice resulted in customers paying more for XP than they otherwise would. “They have been forced to pay substantially more to acquire the Windows XP operating system than they would have to pay in a competitive marketplace,” the suit said.

Alvarado also named 100 “John Doe” co-defendants. “[They] are the persons, firms and corporations who have participated with Microsoft in the wrongdoings complained of and performed acts and made statements in furtherance thereof,” the lawsuit read. “The Doe Defendants acts as co-conspirators and aided and abetted, or participated with, Microsoft in the commission of wrongful acts.”

Bowermaster claimed that Microsoft had no downgrade program as such. “Microsoft does not have a downgrade program. It does offer downgrade rights as part of some Windows Vista licenses, including Windows Vista Business purchased through the OEM channel.” That, however, belies the fact that Microsoft has regularly offered downgrade rights to users. When it released Windows XP in 2001, it allowed people who had XP licenses to downgrade to Windows 2000, Windows NT 4.0 or Windows 98, according to Gartner analyst Michael Silver.