NEW YORK (AP) -- Windows Vista, the new computer operating
system that Microsoft Corp. is touting as its most secure ever,
contains a programming flaw that might let hackers gain full control
of vulnerable computers.SAVE MONEY ON TRAVEL DEALS
Microsoft and independent security researchers, however,
tried to play down the risk from the flaw, which was disclosed on a
Russian site recently and is apparently the first affecting the new
Vista system released to larger businesses in late November.
The software company said it was investigating the threat
but found so far that a hacker must already have access to the
vulnerable computer in order to execute an attack.
That could occur if someone is actually sitting in front of
the PC or otherwise gets the computer's owner to install rogue
software, said Mikko Hypponen, chief research officer for Finnish
security research company F-Secure Corp.
"The bottom line is you couldn't use a vulnerability like
this to write a worm or hack a Vista system remotely", Hypponen said
Tuesday. "It only has historical significance in that it's the first
reported vulnerability that also affects Vista. It's a nonevent in
other ways."
Attackers with low-level access privileges on a vulnerable
machine could theoretically use the flaw to bump up their status,
ultimately gaining systemwide control, Hypponen said.
The flaw affects older Windows systems, too, and Hypponen
said vulnerabilities like these are quite common and can be fixed
with a software patch, which Microsoft releases on the second
Tuesday of each month except for the most serious threats. The flaw
remains a proof of concept, with no one known to have actually
launched an attack with it, Hypponen said.
In a posting on Microsoft's security-response Web journal, a
senior security manager, Mike Reavey, said he remained confident
"Windows Vista is our most secure platform to date."
Vista, the first major Windows upgrade since Windows XP
launched in 2001, was made available Nov. 30 to businesses that buy
Windows licenses in bulk. Consumers generally won't be able to get
Vista until Jan. 30.
In trying to improve security, Microsoft redesigned its
flagship operating system to reduce users' exposure to destructive
programs from the Internet. But most security researchers believe a
complex product like Vista can never be error-free, so it was a
matter of time for someone discovered a security vulnerability.
Microsoft shares rose 35 cents to close at $29.99 in Tuesday
trading on the Nasdaq Stock Market.
