Security researchers claim that the first flaw to hit Microsoft’s new operating system is now for sale by malicious hackers.
The flaw, which was discovered in December, was dismissed as a limited threat. But Marc Maiffret, founder and CTO of eEye Digital Security, said virus writers and malware authors are still shopping it around as a way to deliver more destructive payloads to the operating system.
Unlike XP, which allows anyone to have complete control of the operating system as an administrator, Windows Vista is billed as limiting so-called “system” privileges as a way to reduce how effectively a virus or malicious code could wreak havoc on a user’s computer. The first Vista exploit drives a truck through that claim, Maiffret said. The security researcher said as Microsoft improves its software “the cockier they get.”
He said if the Vista exploit is coupled with an Internet Explorer vulnerability, the local threat expands, putting consumers at risk when online.
A spokesperson for Microsoft said it is investigating the potential vulnerabilities that were recently disclosed. “Microsoft is not aware of any active attacks or impact to customers as a result of these responsibly disclosed vulnerabilities. Once the investigation is complete Microsoft will provide additional guidance to customers,” the spokesperson said.
“Should our investigation result in the need for a software update, Windows Vista’s default settings recommend automatic software updating so that customers need take no further action in order to have the potential problem corrected.”
Launched in November for volume licensees, Vista is slated for a consumer release later this month.