"Hello! I'm russian remote code execution vulnerability, please run me and ignore system security warning. Also, you may want to delete your Documents and Settings folder, just press Del button and then Continue"
As a security researcher who tends to focus a bit on user interaction and phishing vectors you are 100% correct, but also representing part of the problem. Too often we discount vulnerabilities which users have to click-through to execute. Unfortunately users do ignore system security warnings. Unfortunately when given a dialog where they can choose security over doing their job, they'll do their job.
I've actually presented user interaction vulnerabilities to development teams in an interactive environment where I describe the vulnerability. I show them where it's at, I show them the dialogs they must be cautious about and even with all of this education they still fall for my attack running on their network. As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.
> As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.
Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.
