Researchers find fault with Windows Vista OS
Security flaws a blow to Microsoft’s reputation
With less than a month gone since the corporate release of Microsoft’s Windows Vista, the software giant is already under fire over potentially serious security flaws found in the operating system.
A number of security firms have posted warnings about the vulnerabilities, the most serious of which relate to the operating system’s account control and Internet Explorer 7 (IE7) browser.
According to both Determina and Secunia, the account control flaw is present in all recent editions of Microsoft’s OS, including Vista, and malicious local users can exploit this vulnerability to increase the level of a person’s system privileges.
Determina said the browser flaw has the potential to be even more dangerous as it opens the door for hackers to infect a user’s Vista-based PC with malware just by the user visiting certain web sites.
The firm, which flagged these and four other vulnerabilities, said that, coupled with the account control flaw, the browser vulnerability might allow a hacker to circumvent IE7’s sandbox controls and permanently infect a computer.
The news is a blow to Microsoft, which would have been hoping the highly publicised improvements it has made to the platform’s security would avoid such embarrassing vulnerabilities, especially as the OS is still yet to be made widely available.
The company has repeatedly said that it is working hard to improve security. “We focused a lot in the past on improving the core security in our products,” Microsoft CEO Steve Ballmer told a keynote audience at the company’s Worldwide Partner Conference held earlier this year.
The discovery of the flaws also does little to silence the chorus of criticism coming from security vendors, who have been highly vocal in their disapproval of the way Microsoft has gone about beefing up protection for Vista — at one point claiming that Microsoft was denying them access to the central code for the OS.
Even before these latest vulnerabilities came to light security vendors had predicted such flaws were likely, issued warnings of such vulnerabilities in the run-up to Vista’s launch.
Speaking to IT Weekly earlier this month, Symantec MENA regional director Kevin Isaac said there would always be unforeseen flaws that hackers could exploit.
“Any time you introduce new software into your IT environment, there is potential that unforeseen security vulnerabilities may emerge. If this happens, you will need to address the vulnerabilities immediately,” he commented. “A new operating system often has technological advantages, but it may also create vulnerabilities and issues that are discovered over time.”
According to comments posted by a Microsoft executive on a company security web site, the software giant is monitoring both the account control and browser vulnerabilities, but as yet has not observed any public exploitation or attack activity.
“While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date,” wrote Mike Reavey, operations manager of the Microsoft Security Response Centre.