longzheng said:
AndyC said:
*snip*

I am not implying UAC is a security boundary. I'm over the whole "boundary", "feature" terminology.

I draw upon Wikipedia's definition of an vulnerability, "a weakness in a system which allows an attacker to violate the integrity of that system", which in this case appears to fit very well. Even if we assume UAC is not a security feature, which Larry now confirms it is, a "convenience feature" can still have a vulnerability.

Long, I know where you're coming from. However if you say "X has a vulnerabilty" to a security architect and your "vulnerabilty" doesn't cross a security boundary, it'll be dismissed as incorrect. Avoiding the word vulnerability takes the focus off a strict technical definition and focuses more on what is or isn't the right behaviour.