Microsoft admits to Vista flaw

By Graeme Wearden, ZDNet UK

28 December 2006 09:07 AM

Tags: vista, windows, microsoft, longhorn, flaw, mike reavey, vulnerable

Microsoft is investigating a security vulnerability which affects Vista, its newly launched operating system.

Mike Reavey, operations manager at Microsoft's Security Response Centre, revealed last Friday that Vista is vulnerable to a flaw that allows a malicious hacker to escalate user privileges within several versions of Windows.

Proof-of-concept code that exploits the code has been posted online, Reavey said in a blog posting, adding that Microsoft isn't yet aware of any malware that takes advantage of it.

"Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system," wrote Reavey.

"While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date. As always, we here at the MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software," he added.

Vista is Microsoft's first operating system release in five years. The company had repeatedly emphasised that it is more secure than previous versions, having been extensively rewritten.

One major change in Vista is that users accounts are created with administrator privileges turned off by default, unlike in XP where they are automatically turned on. Microsoft has cited this change as a key security change, as these administrator powers can be used to turn off other security measures.

As such, this flaw could put Vista users at risk. However, Mikko HyppÃ¶nen, chief research officer with Finnish security company F-Secure, has already said that the flaw it should not concern corporate or individual users as a malicious hacker can't take advantage of it unless they already have access to their machine.

Earlier this month, security firm Trend Micro claimed that a zero-day Vista flaw was being sold online for US$50,000. Vista was launched to businesses at the end of November. It will go on sale to consumers in early 2007.

Graeme Wearden of ZDNet UK reported from London

Talkback (24)
Print
E-mail
Share
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 24 comments

Add your opinion

but.. we dont "need anti-virus" Anonymous -- 28/12/06

Microsoft has calmed Vista wouldn't even need anti-virus.. well so much for that. They couldn't even defend that to their launch date with that propaganda.

waste of time money resources and anything else you'd like to add. Anonymous -- 28/12/06 (in reply to #320072495)

but more importantly, nobody really even NEEDS vista.

Is there ANYTHING it can do that XP can't do without a thrid party program being installed to accomplish the task? ANYTHING that is actually worthy of an upgrade? I have yet to see it.

What is the point of releasing a new O/S, that is rewrtitten and introducing(surely) a whole new slew of bugs and problems than even XP has?

I am in no hurry to get Vista, and until something comes out that absolutely requires it, I doubt I will ever be running it.

But.. it has a new screensaver. Evil_James -- 29/12/06 (in reply to #320072504)

I can't find a reason. (mostly because Ive been using Unix / Linux / Mac OS X, since Windows 98, and can't find any thing I need windows for at all.)

Not quite correct Evan -- 28/12/06 (in reply to #320072495)

Anti-Virus protects you from viruses, not hackers... especially a hacker with access to the physical machine. Although I'm positive Vista will not be safe for computer "dumies", there will be flaws that will compromise security, and they will be taken advantage of, mostly through IE.

Personaly, I havent had 1 virus on my current Win XP computer, that Ive had for 2 years, Ive never even been warned of a virus comming in [through norton]. The amount of adware is nearly 0, I rarely even scan because theres never any, I give credit to the fact im computer educated and dont download bad file type files, certain images, and above all and most importantly, I use Firefox.

same as that Anonymous -- 29/12/06 (in reply to #320072507)

0 viruses, 0 malware, 0 spyware, even 0 crashes or hangs in 4 years of desktop use and upgrades and 3 laptops.

But i'm an IT type too, and use Firefox

Goes to show where the security issues are, the user not the OS

Firefox Anonymous -- 30/12/06 (in reply to #320072527)

I need to add noscript and adblock plut to XP because I pull up WAY too much junk.

Its not a luck thing.. I think you guys are using expencive proxys, anti-virus scaners or something because just using XP on the net without anti-virus will trash your system in minutes. You cant act like its just fine because even bill gates said he has to use anti-spyware programs.

U-huh Anonymous -- 03/01/07 (in reply to #320072527)

0 that you know of.

Firefox? Brad -- 31/12/06 (in reply to #320072507)

Evan, your comments relating to careful usage of the Internet by watching what you download is plenty of reason why Firefox is not required.

I, like you, have been using Windows XP for a long time and I am very careful about what web sites I visit, along with what I download from the web and other resources and in addition to that I am a seasoned IRC user and as such I have heard so many tales about what experts people think they are just because they've managed to set up a plug and play broadband router and follow some blind faith placed in the Firefox browser by people more or less of the same ilk.

I've always used Internet Explorer for browsing and only go near other browsers to test web sites that I develop - I am one of those who believes that there is more to the web than Firefox, an equally vulnerable browser as any other and there are enough links on this website alone to prove that. To date, I am yet to score a hit from any malicious code via the web or any other means.

It makes me roar with laughter that people think that Firefox is some sort of invincible security titan that will save the world from all those nasty hackers out there.

What's your point? Anonymous -- 17/01/07 (in reply to #320072545)

Internet Explorer is the worst browser imaginable. You speak of developing website and having to use other browsers to test them. I'm sure you **** when you are developing and you did something that works great in Internet Explorer but doesn't work in all the other browsers. Do you think all the others browsers it doesn't work in are the problem. I use firefox because it is great for javascript development. Just compare the Firefox javascript console to the useless error messages you get in IE. I prefer writing javascript in Firefox because works across most browser, but because of the existence and ubiquity of a certain browser I have to rewrite to whole lot.

Norton? Anonymous -- 17/01/07 (in reply to #320072507)

If your computer educated why are you using crap software like Norton Antivirus

you are afraid to browse the wild www with M$ windoze Anonymous -- 18/01/07 (in reply to #320072507)

With M$ windoze, you MUST be afraid to browse the wild www. I use Linux, with all the security extensions and I can browse what ever I want without the fear of adware malware viruses, worms etc. I know there are way tooooo many guys/gals with windoze out there to protect me ;-).

Keep drinkin the koolaid.. Anonymous -- 29/12/06

Yeah, subject ^

So you really believe all that. VISTA IS UNCRACKABLE.

w/e dude, there is no computer system made that is. Even the spy spook NSA stuff has problems. Besides that Microsoft doesn't even *understand* the nature of security. There practices are wrong because they are still trying to make desktop OS's that are easy and convent to use. Security is just trumped by marketing.

it just works =! security

What's koolaid ? Anonymous -- 18/01/07 (in reply to #320072510)

What's koolaid ?

re whats koolaid gavin burton -- 27/02/07 (in reply to #320073268)

Wikipedia can tell you:

http://en.wikipedia.org/wiki/Kool-Aid

"drinking the koolaid" is one of my favourite

Who's Kool-aid? catherine jennifer fusco -- 22/02/09 (in reply to #320073268)

Kool-aid knows the "system" pun intended!He/she knows the political arena,& is well aware! I can't believe, the genius's that revolutionized these computers didn't stop to think, that all things can be compromised! Imagine, these criminals having a huge peice of our market, and nobody can touch them, tell me, what do they get if there's nothibg worth stealing anyway? Do they just "enjoy" screwing us up?? Kool-aid, they have the Kool-"aid" of the US Enter-prize! Drink,cry in your beer,{never liked that expression} who does that, anyway?

Kool-aid catherine jennifer fusco -- 22/02/09 (in reply to #320073268)

Added ny sentiments but was not included in discussion! Koolaid is right, these so called genius's who invented these computers didn't "compute" that everything can be comprimized! While "the criminals" who are enjoying the American Dream, Hacking Us, we are in a nightmare of sorts, yes, they ARE in a free enterprize,no matter what happens to this economy! They can buy more than Kool-aid!

firefox & adblock plus Santa Cruz -- 30/12/06

i've been running current Windows installation for about 3 years and i too have never had spyware, viruses, etc. I am also an IT-type but I agree 100% with the guys above: It's largely because I use Firefox (and ZoneAlarm).

Not just that, I also use Adblock Plus. I recommend using that Add-on just as highly as I recommend FF itself. Try it, you will never go back - unless you really like ads for some reason.. https://addons.mozilla.org/firefox/1865/

Agree Anonymous -- 18/01/07 (in reply to #320072538)

Agree but not an IT type ;-) FF latest version, router, firewall, AV, SpyBot with Tea timer running behind the scenes, pop-up stoppers and adblock.

I've now taken to webmail via gmail to keep all of that toxic crap off my computer. 70% of my email was SPAM with all it's troublesome payloads

The fix is really simple...so very very simple.... Anonymous -- 09/01/07

Just install the Ubuntu, Suse or Fedora service packs !

All your problems are then solved!

Are you people simple or something?

cheers!

Simple Fix Use Linux Anonymous -- 18/01/07

Use a Debian Version of Linux and you will be fine.. Frig Mac is basicaly nothing with out all the great Linux programs ...

Your choices are
-Windows (98,2000 or older no support alot does not work!)
the new , Microsoft_Vista (Viruses,Instability,Spyware,Trojans,Adware) Showing off there NEW DMR restrictions (You know where you pay for so many times you can play it! lol
-Go Mac and pay through the nose for a world where you live in this bubble and upgrades cost alot
-Or go where everything is going LINUX cellphones, Routers, toasters everything cool.. Made by the people for the people..

Cause with windows you wil never be able to get away from ADVAPI.DLL... You can't block it kill it or stop it.. but hey if you read the licence and understood it you would understand your just sorta using there software.. Welcome to the real world !

As for me I been doing everything I need in a rock solid KDE desktop debian type linux distro (ubuntu,Knoppix,kantix,...) and Get this I never reboot or turn it off and I get work done.. can do everything I need to do..

Its sad.. even if you write a virus to stop or show people there is a big problem and it crashes all the computers in the world people are still dumb enough to believe that it was just some kid showing of to his freinds.. (note he was never charged)

Illegal OS Justification Anonymous -- 22/01/07

Makes me believe that all those illegal versions of Windows are OK. Why should anyone pay such high prices for incomplete OS's that need to be patch monthly and protected by 3rd party software. Until MS does a decent job, I'll never pay for Windows. I currently duel boot WinXP and Ubuntu, but XP is only there for games. I wish all games released for Windows had a Linux version too so I can rid my PC of the Windows infection. By the way, I rarely (if ever) have security issues - ZoneAlarm Security Suite, Firefox, Broadband Firewall Router.

keep complaining and then keep buying Kelly Kinsey -- 31/01/07

It amazes me that some people complain and **** about Microsoft and Vista (and XP) but will go out and spend thousands on a new car every 5 years (because it's supposed to be better), or update antivirus and firewall software each year for $25. - $50. a year, or new jeans every couple of years at $50-$150. cuz they're cool. But you'll **** about spending money on an operating system that the company has spent billions making. And that you use every day, 365 days a year. I know, why don't you work for 5 years then give the money back to your boss.

I'm surprised it takes so little to amaze you Anonymous -- 10/08/07 (in reply to #320073895)

A car has a resale value, it will take you to work and gives you a lot in relaxing comfort, reliability and performance which has nothing at all to do with Vista. I never asked MS to develop, produce or offer me anything, least of all, Vista. If you like it, you buy it, you use it and let the rest of us worry about we want to buy and how much we want to pay for it. It is after all, a decision for the individuals to make without listening to your HS about how much MS has spent and what we should support. I care less how much they spent, how much they make or how much they exploit as I have no interests in MS, get it ?

Windows One Care Gragh -- 31/01/07

I was testing the Windows One-Care antivirus antiviral system, and I wouldn't buy it with someone elses money.
Once installed, the user is unable to uninstall it, and when connecting to someone in an internet game, it will automatically alt tab out of the application, display a dialogue box (sometimes rendered unreadable because of an application crash caused by One Care), and force you to restart the game application in order to gain the confirmed privledges.
Also, it will cost a certain amount of money a month (i can't remember, formatted by PC to get rid of this trojan).
D:

Add your opinion

Latest Videos

Play now

Malcolm Turnbull's ghost twitterer
At the Sydney Media140 conference several weeks ago, Opposition Leader Malcolm Turnbull admitted he doesn't pe… Watch it now
Play now

Google Chrome OS demonstration
Vice President of Product Marketing Sundar Pichai gives a virtual tour of Google's new operating system, Chrom… Watch it now
Play now

Surf the Net like it's 1991 with Gopher
The old Gopher protocol is not dead. In fact, it even has Twitter! Here's how to access it.… Watch it now
More videos »

Blogs

Get extensions going in Firefox, redux
Previously on Null Pointer we looked at getting extensions working in Firefox betas, and that was great until the fine folks at Firefox changed their minds.
How reliable is IP telephony?
Have you ever heard a weird kind of hissing, crackling or popping noise when calling someone on an IP telephony line? How rare is the phenomenon these days?
Forget the NBN, 100Mbps is already here
Telstra and TransACT will shortly begin offering 100Mbps broadband to many customers. By moving early, the companies have not only raised the bar for Australia's broadband services, but thrown down a challenge to a government that now faces increased pressure to deliver the NBN as promised.
More blogs »

Reader Services

Essentials

Broadband Plan Finder
Not sure which broadband plan to choose? Try our Broadband Plan Finder.
Best Servers
Check out the best servers here!
Mobile Phone Plan Finder
Pick the best mobile phone plan deal with our Mobile Phone Plan Finder.
Broadband speedtest
How fast is your Internet connection? Calculate the speed here.
Top Ten Servers
Want to find out what servers are in the top ten? Check here!

News > Security