Just after a month that the Windows Vista operating system shipped to businesses, Microsoft has confirmed that a flaw in the software appears to allow attackers to mount a privilege escalation attack.

This flaw is labelled a double-free vulnerability caused by the way the Windows operating system handles error messages to be displayed. The vulnerability in the Client Server Run-Time Subsystem affects Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista, according to Microsoft.

Windows Vista marks the culmination of several security initiatives begun at Microsoft after the Code Red and Nimda worms–and, later, the Slammer worm–poked holes in the software giant’s security reputation.

Vista locks down older code and critical components, focuses on reducing the privilege of noncritical code, and adds more security management features to help users make the right decisions regarding system protection.

Vista, the first major Windows upgrade since Windows XP launched in 2001, was made available Nov. 30 to businesses that buy Windows licenses in bulk. Consumers generally won’t be able to get Vista until Jan. 30.

In trying to improve security, Microsoft redesigned its flagship operating system to reduce users’ exposure to destructive programs from the Internet. But most security researchers believe a complex product like Vista can never be error-free, so it was a matter of time for someone discovered a security vulnerability.

Popularity: 1%