It may not present much—or, at the moment, any—danger in the real world, but a proof-of-concept security flaw outlined by a Russian research firm seems likely to go down in the books as the first security issue uncovered in Microsoft’s Windows Vista operating system.
The issue in Microsoft’s MessageBox API which targets a flaw in Windows’ Client Server Run-Time Subsystem. The issue is not Vista-specific; it impacts Windows XP, Windows 2003, and Windows 2000, and, in theory, could enable an attacker who already has authenticated access to a system to escalate privileges, potentially taking over the machine.
Microsoft says that they are not aware of any exploits of the flaw having been found in the wild, and users’ overall vulnerability is quite low. F-Secure’s Mikko Hypponen has told the Associated Press that the exploit could not be used to write a worm or create tools which could take over a Vista system remotely: the exploit would require local access to the computer, probably by tricking a user into running a trojan horse on their system.
Windows Vista is currently only available to Microsoft’s business customers and volume licensees; both Windows Vista and Office 2007 will go on sale to consumers at the end of January 2007. Microsoft is reportedly targeting January 30th as the products’ launch dates, following a media event in New York January 29th.
