(Update: official statement appended to the end of the post)
I’m going to open this post by kindly asking you, the user, to go into the Windows 7 Action Center (Control Panel, System and Security, Action Center), clicking “Change User Account Control settings” and setting it to the maximum setting (“Always notify me when…”).
The reason for why I’m asking you to do this shouldn’t be a surprise. You may have seen the UAC posts by Rafael Rivera and Long Zheng (I’m giving more of the credit to Rafael since he actually brewed the proof of concept code). People saw their posts and immediately assumed that this issue is only relevant for users who download malware. Thus, you hear lots of users saying out loud with no apparent fear of embarrassment:
“La di da, so long as I’m not stupid with what I download, I should be fine!”
Right. Well, Microsoft basically recommends for users to install an antivirus because they don’t actually consider User Account Control to be a security feature. Anyone who knows the purpose of privilege management knows that any system which actively manages privileges is a security feature.
With this in mind, let’s take a look at why the UAC security flaw actually is a security flaw.
Update 2: Steven and Jon posted a second post about UAC today specifically addressing this flaw. Catch their response below the break.
Follow Bryant on Twitter! 
