Charles said:
longzheng said:
*snip*

Yes. By infection, I mean vulnerability already on board (like a trusted installed application with, say, a buffer overrun hole). Other applications that you install or run can also self-elevate using this UAC default behavior. This is understood.

Is UAC supposed to solve the user-initiated-installation-or-download-and-execution-of-malicious-code problem? If Outlook is vulnerable to attack through a memory hole, well, patch Outlook Smiley Seems to me you are asking for a UAC state where auto-elevation under all circumstances is disabled.

C

We're asking for UAC to limit the scope of damage that can be caused by either route.