[xorblurb]

UAC is arguably better than nothing but: it was designed to run at max level (the only available one in Vista, where it was introduced). Because the UX hindrance was too high MS added intermediate levels, but without evolving the whole design from a security model point of view. The result is so weak that MS simultaneously started to declare that UAC is not a security boundary, so they don't have to include comprehensive fixes in each security patch, only partial ones in system upgrades, when they feel like it.

https://github.com/hfiref0x/UACME currently references 8 unfixed bypasses. That's so high that I don't think this is reserved for targeted infection; it might very well happen in common malware.