People have been asking questions of Windows 7 security for some time, so it should come as no surprise that it did not take long for the security research community to twig that this could be a little on the silly side when talking about system security.
The problem being that by allowing certain digitally signed third party executables to bypass UAC by default, Windows 7 becomes exposed to the potential of piggybacked third party code.
Malware can exploit elevated instances of rundll32.exe to point to malicious payloads which inherit the UAC OK from the parent process.
One researcher, Long Zheng, writes about how he developed a fully functional proof-of-concept app in VBScript to easily disable UAC entirely.
So that is two UAC related Windows 7 security flaws in a single week. You might think that Microsoft would take them seriously, very seriously indeed.
Yet the initial response was one of total denial: "Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent" said spokesman Jon DeVaan.
More detail about the Windows 7 security flaws and more on that Microsoft U-turn follows on page 2...