Microsoft admits to Vista flaw

By Graeme Wearden, ZDNet UK
Thursday, December 28, 2006 02:39 PM

Microsoft is investigating a security vulnerability which affects Vista, its newly launched operating system.

Mike Reavey, operations manager at Microsoft’s Security Response Center, revealed late last week that Vista is vulnerable to a flaw that allows a malicious hacker to escalate user privileges within several versions of Windows.

Proof-of-concept code that exploits the code has been posted online, Reavey said in a blog posting, adding that Microsoft isn't yet aware of any malware that takes advantage of it.

"Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system," wrote Reavey.

"While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date. As always, we here at the MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software," he added.

Vista is Microsoft's first operating system release in five years. The company had repeatedly emphasized that it is more secure than previous versions, having been extensively rewritten.

One major change in Vista is that users accounts are created with administrator privileges turned off by default, unlike in XP where they are automatically turned on. Microsoft has cited this change as a key security change, as these administrator powers can be used to turn off other security measures.

As such, this flaw could put Vista users at risk. However, Mikko Hyppönen, chief research officer with Finnish security company F-Secure, has already said that the flaw it should not concern corporate or individual users as a malicious hacker can't take advantage of it unless they already have access to their machine.

Earlier this month, security firm Trend Micro claimed that a zero-day Vista flaw was being sold online for US$50,000. Vista was launched to businesses at the end of November. It will go on sale to consumers in early 2007.

0

0 votes

Save to My Library

Talkback 0 comments

There are currently no comments for this post.

Reply to story

Featured Whitepapers

Tech Jobs Now!

TechGuides

Specials
News and Interviews
Whiteboard

UOB banks on economic downturn
Singapore bank's IT chief Susan Hwee explains how financial crisis offers new opportunities to reengineer
Play video
Domino's Pizza keeps customers eating
CEO Don Meij discusses strategy to grow customer base
Play video

Salesforce CEO chatters about new social media platform
Facebook-type app hits the enterprise
Play video
Salesforce demos Service Cloud 2
New Web-based tools for customer service
Play video

Cost Effective, Secure and HA Server Infrastructure for SMBs
Alan Wan from Dell illustrates how small and medium businesses can build a high availability IT infrastructure without requiring heavy investments on skills and resources.
Play video
Enterprise 2.0
Vince Casarez, vice president of product management at Oracle, explains how Web 2.0 technologies, such as tags, wikis, and mash-ups, can be applied within an organization.
Play video