Microsoft has sent me a statement about the UAC “issue” in Windows 7 that was raised by bloggers Rafael Rivera and Long Zheng. Long story short, it’s not a vulnerability. Here’s the full statement:
This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented).
