Vista Security Flaw Discovered
Company officials maintain that the flaw's risks are low.
Windows Vista, the new computer operating system that Microsoft Corp. is touting
as its most secure ever, contains a programming flaw that might let hackers
gain full control of vulnerable computers.
Microsoft and independent security researchers, however, tried to play down
the risk from the flaw, which was disclosed on a Russian site recently and is
apparently the first affecting the new Vista system released to larger businesses
in late November.
The software company said it was investigating the threat but found so far
that a hacker must already have access to the vulnerable computer in order to
execute an attack.
That could occur if someone is actually sitting in front of the PC or otherwise
gets the computer's owner to install rogue software, said Mikko Hypponen, chief
research officer for Finnish security research company F-Secure Corp.
"The bottom line is you couldn't use a vulnerability like this to write
a worm or hack a Vista system remotely," Hypponen said Tuesday. "It
only has historical significance in that it's the first reported vulnerability
that also affects Vista. It's a nonevent in other ways."
Attackers with low-level access privileges on a vulnerable machine could theoretically
use the flaw to bump up their status, ultimately gaining systemwide control,
The flaw affects older Windows systems, too, and Hypponen said vulnerabilities
like these are quite common and can be fixed with a software patch, which Microsoft
releases on the second Tuesday of each month except for the most serious threats.
The flaw remains a proof of concept, with no one known to have actually launched
an attack with it, Hypponen said.
In a posting on Microsoft's security-response Web journal, a senior security
manager, Mike Reavey, said he remained confident "Windows Vista is our
most secure platform to date."
Vista, the first major Windows upgrade since Windows XP launched in 2001, was
made available Nov. 30 to businesses that buy Windows licenses in bulk. Consumers
generally won't be able to get Vista until Jan. 30.
In trying to improve security, Microsoft redesigned its flagship operating
system to reduce users' exposure to destructive programs from the Internet.
But most security researchers believe a complex product like Vista can never
be error-free, so it was a matter of time for someone discovered a security
Microsoft shares rose 35 cents to close at $29.99 in Tuesday trading on the
Nasdaq Stock Market.