Wednesday, they followed up with more information about how hackers could to fool Windows 7 into giving a malicious payload full administrative rights.

"This is definitely the result we've been looking for," Long said in a e-mail late Thursday. "[But] I'm a little bit shocked at just how quickly Microsoft has turned around, considering they made a post not 12 hours earlier stating that they would not change their position."

Rivera, Long, and others urged Microsoft to reconsider the default setting of UAC in Windows 7. That default, which DeVaan said Microsoft had selected because people running Windows balked at dealing with more than two security prompts per day, was to "Notify me only when programs try to make changes to my computer."

Microsoft, however, won't be taking that tack. Instead, the next public version of Windows 7 -- dubbed "RC" for release candidate -- will prompt the user before allowing any changes to UAC settings. "The way we're going to think about this [is] that the UAC setting is something like a password, and to change your password you need to enter your old password," DeVaan and Sinofsky said Thursday.

Microsoft has , but Sinofsky reiterated last week that the development process was moving straight from the public beta, which was launched Jan. 10, to the release candidate. In the past, the company has delivered multiple betas before moving to the RC milestone.