Mark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, is a noted developer of Windows utilities. In a Microsoft TechNet blog post, Russinovich explained that Vista features such as UAC or Protected Mode Internet Explorer that are dependent on limited user privileges are designed to allow some IL breaches: "Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use. Neither UAC elevations nor Protected Mode IE define new Windows security boundaries. Because elevations and ILs don't define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs. The elevation and Protected Mode IE sandboxes might have potential avenues of attack, but they're better than no sandbox at all."
Russinovich said Microsoft had communicated this in the past, but that the point needed reiterating. According to Russinovich, a security boundary is a barrier through which code and data can't pass without the authorisation of a security policy. UAC and integrity levels were not intended to guarantee that processes with higher privileges are protected from compromise by lower-level privileges, but rather as a way of changing the way Windows software is developed: "If you aren't guaranteed that your elevated processes aren't susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption."
News source: TechWorld