The bottom line then, said Whitehouse, is: "Would the user treat this UAC with the same amount of caution?" His answer: No. Users will, as Microsoft intended when it selected those colors, note the teal border of the spoofed UAC and likely click through without a second thought, he said.

"This does require some user interaction, but we can mask something [malicious] in a way that makes it look less alarming. UAC is just one of the tools that Microsoft architected into the OS to allow the user to make more informed judgments. But it's somewhat undermined" by this, he said.

Whitehouse said he contacted the Microsoft Security Response Center (MSRC) about two weeks ago to describe his findings. "They did not see it as an issue," he said. Instead, the MSRC pointed him to the .

"It's very important to remember that UAC prompts are not a security boundary -- they don't offer direct protection," said Whitehouse. "They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back. So while Microsoft may use the word 'trust' in relation to UAC in some of their [other] documentation, in actual fact, even the data these UAC prompts provide you with can't be trusted."

Microsoft officials were not available for comment.