Tuesday, December 26, 2006

Vista Security Flaws Uncovered

by Michael Calore
Tuesday, 26 December 2006

Winvista_v_thumb_4 One full month before Microsoft Windows Vista ships to consumers, hackers and security experts have already discovered six serious flaws in the operating system. Vista was made available to business customers one month ago. Since then, the experts have been throwing everything they can come up with at this build of Vista hoping to discover possible vulnerabilities before the general public starts running the OS on their home machines.

John Markoff of The New York Times profiled the security software firm Determina and its tests to uncover exploits in Vista.

Here are some of the flaws, paraphrased from the NYT story:

  • Determina discovered a bug in Internet Explorer 7 that allows malware to be surreptitiously installed on a user's computer if he visits a "booby-trapped site" while browsing the web.
  • Determina also discovered a way to disable a network's Microsoft Exchange server by sending an infected email.
  • An unnamed Russian programmer discovered a way to hack his user permissions on all Windows systems on a corporate network using a Vista exploit. This is particularly dangerous, since a hacker could use his increased privileges to circumvent IE7's built-in sandbox controls.
  • Tokyo-based company Trend Micro has discovered a hacker on a Japanese message board offering to sell information about a Vista security flaw for $50,000.

Flaws are to be expected, especially in something as widely used and anticipated as a new version of Windows. Microsoft will most likely be releasing patches constantly during Vista's first six months on consumer desktops. Either way, if you're planning on running Vista right away, invest in some security software -- and use Firefox!

Shocked? I hope not ;)

No comments: