Software // Enterprise Applications
News
12/22/2006
02:34 PM
50%
50%

First Exploit Of Windows Vista Spotted

It is the first Windows Vista exploit made public since the operating system was released to volume license customers Nov. 30.

Proof-of-concept code for an unpatched vulnerability in all supported versions of Windows, including Vista, has gone public, prompting alerts from security vendors and a warning from its Russian discoverer that the flaw may be dangerous.

It is the first Windows Vista exploit made public since the operating system was released to volume license customers Nov. 30.

According Symantec and eEye Digital Security, the bug is a memory corruption vulnerability that pops up when the MessageBox function is called; eEye pegged the threat as "medium," while Symantec labeled it as a "privilege escalation," a type of threat generally considered low on the security scale. An attacker would need authorized access to a PC to exploit the bug.

The code first showed up on a Russian hacker site, and was subsequently posted to milw0rm.com.

Mike Reavy, program manager with the Microsoft Security Response Center, acknowledged that the team was "closely monitoring" the situation even as the holidays approached.

"Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings," Reavy wrote on the center's blog early Friday.

Windows 2000 SP4, Windows XP SP1 and SP2, Windows Server 2003 SP1, and Windows Vista are at risk, Reavy added.

The Russian researcher who first reported the bug to Microsoft on Dec. 16, however, observed that the vulnerability may be more dangerous than the "Less critical" rating that Danish bug tracker Secunia assigned. "There is potential remote exploitation vector if some service uses user-supplied input for MessageBox() function," wrote "ZARAZA U 3APA3A" on the Full Disclosure security mailing list.

Reavy downplayed the Vista-is-vulnerable angle. "While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date," he said. Microsoft has touted Vista, which released to corporations late last month and will debut Jan. 30 in consumer PCs, as significantly more secure than earlier versions of Windows.

Reavy also recommended users turn on a firewall, apply all Microsoft security updates, and install and/or update antivirus and anti-spyware software to protect their PCs.

Additional information on the threat will be posted to the center's blog, or if necessary, in the form of a security advisory, the mechanism Microsoft uses to inform users of possible defensive workarounds in lieu of, or prior to, a security update.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.