Recent Flaw In Windows Vista May Be A Risk To Users

An advisory by eEye Digital Security Inc., and endpoint Aliso Viejo, California-based security firm, identified a flaw in Windows Vista by Microsoft and stated that the flaw gives users increased access to system, potentially exposing the system to attacks. The firm rated the vulnerability as a medium risk.

In last few months, the firm has reported various other flaws to Microsoft that remain unplugged.

The vulnerability that was reported as an Upcoming Advisory is among the initial flaws identified in the latest operating system. In February 2007, Microsoft plugged a security hole in Windows Defender, an in-built spyware and security element in distinct application, including XP and Vista.

March Maiffret, the Co-founder and Chief Hacking Officer, eEye Digital, points out that this new vulnerability is in the operating system Vista itself and not in any component which has been used in many programs.

The flaw was discovered on January 9, 2007 but notified to Microsoft on January 19, 2007, ten days before of the business retail and consumer launch of Windows Vista. It would allow a user, who has direct access to system permanently augment his user privileges, avoiding the security that Windows Vista's protected mode proffers.

The flaw could also let a nasty individual who has physical access to the system increase the user access of victim, exposing him to malware risks. If combined with a virus specifically designed to exploit the flaw, it could be more dangerous. This flaw permits regular users to seize more power on the machine.

In an e-mail to Information Week, a Microsoft spokesperson said that Microsoft is aware of the report showing a potential flaw in Vista. But they are not aware of any public discussion of the report. They don't have report of any attacks trying to exploit the reported flaw or of user impact right now. They will continue to examine the report to help in providing additional guidance to customers as required.

December 2006 also witnessed a similar exploit for Windows XP and earlier OS (Operating System), letting unprivileged code to threaten all OS or third-party security steps and gain more privileges than SYSTEM. flaw in IE (Internet Explorer) 6 was identified in October 2006 (as per eEye, this flaw is still unpatched) allows remote installation of arbitrary code with least user interaction.

Related article: Recent Natural Calamities in The US Might Give Rise to Online Scams

» SPAMfighter News - 3/12/2007