So, to be exploited the user has to be running as an admin already (yes, it’s far too common right now, and yes, that’s largely because of huge numbers of apps that require privs they shouldn’t), but when given a prompt about whether to run something with admin privs, they have to click Accept.
Honestly, I just don’t see how 1) this is a news story or 2) this can be considered a flaw in Vista. I
What I do find to be hilarious is that if you port this to most any other OS (admin account runs Evil Program), you’re actually less secure – you don’t even have to click Accept! Oh Noes!
“I just hit accept,” Rutkowska replied to a question from the audience about how she bypassed UAC.