Getting all excited to deploy Vista in your agency? You might want to think again. The New York Times reports that researchers and hackers are finding serious problems with "the last Windows."
Among the flaws: one described by Russian programmers that allows hackers to increase a user’s privileges on all of the company’s recent operating systems, including Vista. Another major flaw was found by the firm Determina in the new Internet Explorer 7, which could be a gateway for infecting user machines with malware if they visit certain sites. 7 browser.
“I don’t think people should become complacent,” said Nand Mulchandani, a vice president at Determina. “When vendors say a program has been completely rewritten, it doesn’t mean that it’s more secure from the get-go. My expectation is we will see a whole rash of Vista bugs show up in six months or a year.”
The Determina executives said that by itself, the browser flaw that was reported to Microsoft could permit damage like the theft of password information and the attack of other computers.
Theoretically, IE7 is a sandbox that prevents attacks on Windows systems outside of the browser, even if the browser itself is compromised.
However, when coupled with the ability of the first flaw that permits the change in account privileges, it might then be possible to circumvent the sandbox controls, said Alexander Sotirov, a Determina security researcher. In that case it would make it possible to alter files and potentially permanently infect a target computer. This kind of attack has yet to be proved, he acknowledged.
Determina also discovered a bug that would make it possible for an attacker to repeatedly disable a Microsoft Exchange mail server simply by sending the program an infected e-mail message, the Times said.
Windows Vista, the new computer operating system that Microsoft Corp. is touting as its most secure ever, contains a programming flaw that might let hackers gain full control of vulnerable computers.
Microsoft (nasdaq: MSFT - news - people ) and independent security researchers, however, tried to play down the risk from the flaw, which was posted on a Russian site recently and is apparently the first affecting the new Vista system released to larger businesses in late November.
The software company said it was investigating the threat but found so far that a hacker must already have access to the vulnerable computer in order to execute an attack.
That could occur if someone is actually sitting in front of the PC or otherwise gets the computer's owner to install rogue software, said Mikko Hypponen, chief research officer for Finnish security research company F-Secure Corp.
"The bottom line is you couldn't use a vulnerability like this to write a worm or hack a Vista system remotely," Hypponen said Tuesday. "It only has historical significance in that it's the first reported vulnerability that also affects Vista. It's a nonevent in other ways."
Attackers with low-level access privileges on a vulnerable machine could theoretically use the flaw to bump up their status, ultimately gaining systemwide control, Hypponen said.
The flaw affects older Windows systems, too, and Hypponen said vulnerabilities like these are quite common and can be fixed with a software patch, which Microsoft releases on the second Tuesday of each month except for the most serious threats. The flaw remains a proof of concept, with no one known to have actually launched an attack with it, Hypponen said.
In a posting on Microsoft's security-response Web journal, a senior security manager, Mike Reavey, said he remained confident "Windows Vista is our most secure platform to date."
Vista, the first major Windows upgrade since Windows XP launched in 2001, was made available Nov. 30 to businesses that buy Windows licenses in bulk. Consumers generally won't be able to get Vista until Jan. 30.
In trying to improve security, Microsoft redesigned its flagship operating system to reduce users' exposure to destructive programs from the Internet. But most security researchers believe a complex product like Vista can never be error-free, so it was a matter of time for someone discovered a security vulnerability.