In positioning itself to provide aftermarket applications for Microsoft’s Vista operating system, anti-virus market leader Symantec is highlighting some shortcomings it believes to exist in the new platform’s own security tools.
Among the conclusions of a presentation delivered to the media during the week of Jan. 8 by Symantec Vice President of Engineering Rowan Trollope is the software maker’s finding that the UAC (User Account Control) feature of Vista, a security innovation highly touted by Microsoft, remains unwieldy and confusing to users.
UAC is designed to help Vista limit malware’s ability to escalate an individual PC’s user privileges, a common technique used by code writers to spread their viruses from one machine to another.
Integrated with Vista’s other onboard security technologies, the system is set to prompt users whenever a program attempts to change its status on their machines, thereby lowering the chances of hidden threats to operate on PCs running the OS.
Symantec, based in Cupertino, Calif., contends that UAC is too disruptive and hard for common users to understand, as well as a potential new headache for corporate IT administrators. This echoes criticism leveled at the feature when Vista was still in the beta development phase during early 2006.
Trollope said that the problems that remain with UAC—namely that it produces too many pop-up security warnings that use overly complex technical language—will give Symantec an opportunity to build products that help manage the system for Vista users.
“What we’ve heard from our customers is that UAC is pretty noisy, that it comes up with a lot of messages for end users,” said Trollope. “People generally don’t have a lot of experience with it yet, but when we talk to anyone using the [Vista] betas, they tend to think it’s somewhat onerous.”
Beyond hassling people too frequently, and potentially creating new help desk requests in the corporate setting, Trollope said UAC might be so difficult that it defeats its very purpose in protecting end users.
“The danger with this is that if you are asking people these questions too often, and doing so in terms they may not understand, they tend to tune the feature out and turn it off,” Trollope said.
Vista upgrade is a long way off, say IT pros. Click here to read more.
“We know people are doing this, and it presents a concern because you don’t want a door lock that’s left open because it’s too hard to unlock.”
Unlike the controversy that raged between Symantec, rival McAfee and Microsoft over the level of kernel access the OS maker would grant its security partners in Vista 64-bit, the UAC issues are being positioned by Symantec as a business opportunity versus a fundamental flaw in the product.
Symantec is pitching its ability to add an “extra layer of intelligence” to UAC in yet-to-be-developed security applications that it said will be developed in cooperation with Microsoft.
Next Page: Microsoft stays friendly.
Symantec’s approach to the alleged Vista shortcoming may signal how the company will market its future products’ abilities to augment Microsoft’s platforms now that the OS giant has built its own security tools and is moving aggressively into Symantec’s home turf.
And rather than Microsoft taking a combative tone with Symantec, as it did in the early days of the kernel patch protection debate of 2006, the software giant’s response to the UAC criticism appears to defer arguments over the limitations of the feature to avoid further in-fighting.
“We believe UAC is a good solution to help limit the impact of malware attacks, installation of unauthorized software, and unapproved system changes by making it easier to use Windows without administrator privileges,” said Stephen Toulouse, senior product manager with Microsoft’s Security Technology Unit.
“If the user decides they do not want to run UAC and they would rather run a third party solution that provides similar functionality, they do have the choice to disable it.”
One of the first people to highlight potential issues with UAC was Andrew Jaquith, analyst with Boston-based Yankee Group. In May 2006, Jaquith published a research report that suggested some enterprises might delay adoption of Vista until Microsoft had improved the feature.
VeriSign offers hackers bounty on Vista, IE 7 flaws. Click here to read more.
After the report was widely publicized, Microsoft officials pledged to tone down the frequency and complexity of the user prompts generated by UAC, but the analyst said that despite making improvements to the feature, it will be hard for some people to get used to the tool.
“Microsoft has taken a lot of the early feedback to heart and made some very good improvements, but, any interruption to user experience, no matter how infrequent, is still something different than what most users are comfortable with,” Jaquith said.
“How much chatter is too much or too little won’t be figured out for a while, UAC clearly needed to be improved, and Microsoft did that, but they will probably need to do more.”
Others industry watchers agreed that some users are complaining that Vista UAC remains too noisy, and observed that such issues will provide opportunities for companies like Symantec to market security applications that build on Vista features.
And while Microsoft and Symantec will likely become even more heated rivals in the security space as they mature their respective products, it is important for users installing Vista to have the companies remain on good terms, said Natalie Lambert, analyst with Forrester Research, Cambridge, Mass.
“Microsoft is going to push further into the security arena just as Symantec is going to push further into the desktop management space, but they need each other, at least for today,” Lambert said.
“Today Microsoft’s security products are at a severe functional disadvantage, but Symantec’s applications will always run on Microsoft’s software; at the end of the day they will increasingly compete for the same dollars, but for now everyone has to play nicely.”
Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine’s eWEEK Security Watch blog.
