Alex Eckelberry wrote a good post today reacting to a Microsoft white paper on misunderstood features in Windows Vista. I especially liked his comments on UAC:
UAC could certainly have been handled better. It does something the security industry has been well aware of for a long time — it creates the “cry wolf” problem of popup fatigue (people turn off or ignore the popups after awhile). Vista is more secure than XP, despite what others might say, but it still gets infected. Since over 80% of all infections are based on social engineering, the popups should focus on that weak point. If UAC targeted the key areas where people run into trouble (as opposed to harrasing the user on inane actions), it would be far more helpful and potentially make a really significant impact on infection rates.
Exactly right. A little over two years ago, when Vista was still in beta testing, I had some suggestions for Microsoft on how to improve the UAC experience. I’ve updated those thoughts in my latest post over at ZDNet: