Actually, that's not true. The prompts have dropped in frequency to the point that every lay user I know actually denies access if they see a random UAC prompt get kicked up.
This was always a part of the UAC design philosophy.
The prompts have dropped in frequency to the point that every lay user I know actually denies access if they see a random UAC prompt get kicked up.
The prompt frequency is still ridiculous for the standard user case. I assume that's what we're talking about as it's the onyl true security boundary, and yet MS have done little to improve the amount of prompting there.
That's part of the problem.
MS should have refactored their apps so that they prompt less. (e.g. By caching objects through consecutive/related operations or givin Explorer an Admin Mode you could toggle via a single prompt, which is a better trade-off of security and convenience than
it always being in admin mode as it is in Win7.)
MS should have improved UAC so that it could display securely-generated descriptions of actions about-to-be-performed as part of the UAC prompts so that the absolutely braindead prompts-about-prompts Explorer shows could be merged into the actual UAC dialog.
If MS had done those things then both the admin and standard user cases would be much less painful to use at the Always Prompt level.
If MS had done this then they would not have needed to add a stupid, anti-competitive hack which hides UAC prompts from default users in their apps only while at the same time undermining the UAC prompt system with a hole you could drive a tank through*.
If MS had done that then standard user accounts might be something people would consider using instead of something they'll run away from faster than they ran away from Vista's UAC.
If MS had done that then we might be discussing whether or not standard user should be the default account type in Windows 7 instead of discussing this stuff.
(* And, dammit Larry, that hole is bigger than it was in Vista. Being prompted to let malware elevate vs allowing it to immediately and silently elevate is a significant difference. If it isn't then why do MS try to stop it happening at all? If it isn't
then surely standard user accounts are vulnerable to exactly the same UAC prompt spoofing? By your own logic, then, you actually do have the same prompt-spoofing security hole crossing a security boundary. I don't buy your logic at all. It's an excuse, not
reasoning. I hate to be arguing with people like Larry and Mark because I think they're great, intelligent, knowledgeable guys and I've enjoyed reading their stuff, and occasionally talking to them via their blogs, in the past, but so be it if they wheel out
logic like this.)