The flaw, which was discovered in December, was dismissed as a
limited threat. But Marc Maiffret, founder and CTO of eEye Digital
Security, said virus writers and malware authors are still shopping
it around as a way to deliver more destructive payloads to the
Unlike XP, which allows anyone to have complete control of the
operating system as an administrator, Windows Vista is billed as
limiting so-called "system" privileges as a way to reduce how
effectively a virus or malicious code could wreak havoc on a user's
computer. The first Vista exploit drives a truck through that claim,
Maiffret said. The security researcher said as Microsoft improves
its software "the cockier they get."
said if the Vista exploit is coupled with an Internet Explorer
vulnerability, the local threat expands, putting consumers at risk
A spokesperson for Microsoft said it is investigating the
potential vulnerabilities that were recently disclosed. "Microsoft
is not aware of any active attacks or impact to customers as a
result of these responsibly disclosed vulnerabilities. Once the
investigation is complete Microsoft will provide additional guidance
to customers," the spokesperson said.
"Should our investigation result in the need for a software
update, Windows Vista's default settings recommend automatic
software updating so that customers need take no further action in
order to have the potential problem corrected."
Launched in November for volume licensees, Vista is slated for a
consumer release later this month.