It's a kind of attack called a symlink race, which is also possible on other operating systems. There are kernel parameters for hardening against symlink races on Linux, and they just disable symlinking into world-writable locations. I'm not sure why Windows can't use a less invasive mitigation like that, but I guess there must be one.