But in making these changes Microsoft may have inadvertently introduced a gaping security hole. Since the default UAC setting is now to alert users only when a third-part program tries to make changes to a PC and not when the actual user makes changes, then using only keystroke commands issued by a malware program, the technology can be deactivated without the user ever knowing that their system's been compromised. Then after eventually restarting the machine a malicious user could embed something at boot time and take control of the computer.
Of course an attack could also be averted using other security technologies, such as an antivirus suite, but it goes to show how easily UAC can be taken out of the picture. Developer Rafael Rivera wrote some simple proof of concept script to underline this concern and also notes that users can play it safe by merely changing the UAC policy to “Always Notify.” Microsoft, on the other hand, seems to be relaxed about the topic saying the flaw is “by design” and apparently has no fix planned for it.