Microsoft’s security experts had an uneasy Christmas after a security flaw was discovered in Windows Vista, the software company’s new operating system - the first since its official release four weeks ago.
The flaw is a symbolic blow to Microsoft, which has spent five and a half years developing Vista. The software, which was launched two years later than originally planned, is the biggest upgrade to the operating system since the release of Windows 95 and Microsoft focused heavily on improving security.
The company on Friday confirmed the vulnerabilities, which were first reported by independent third parties, but pointed out that no malicious programmes taking advantage of the flaws had yet appeared.
The flaw allows a user with standard system privileges to gain wider access to system tools and settings without the approval of a network administrator. This potentially disables a key security feature of Vista but attackers would first need to gain access to a computer through some other means before exploiting the vulnerability. A vulnerability in the new web browser Internet Explorer 7 was reported at the same time.
Mike Reavey, operations manager at Microsoft’s Security Response Center, acknowledged on the company’s security blog that it was “closely monitoring developments” over the Christmas period.
“Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft’s customers,” he wrote.
He added: “I still have every confidence that Windows Vista is our most secure platform to date”, and said that as always, Microsoft encouraged users to take other security measures such as firewall, security updates, anti-virus and anti-spyware software.
Mikko Hyppönen, chief research officer with Finnish security company F-Secure, said the vulnerability was significant for being Vista’s first since its launch, but was unlikely to be a big concern either to Microsoft or corporate users of Vista, because attackers would need to already have access to the system to take advantage of it.
However, he said said criminal gangs would inevitably increase their efforts on attacking Vista. “Within a year or two, there could be tens of millions of computers [running Vista], so there will be more attacks.”
Vista went on sale in late November to corporate customers, who usually wait between 18 months and two years to upgrade to new versions Windows. Consumers will not be able to purchase it until January 30.
Security flaws are so commonly found in Microsoft’s software that it issues regular security bulletins and software patches. While only a small number of these flaws lead to widespread havoc for computer owners, security improvements were deemed a key feature of Vista.
Shane Coursen, senior technology officer at Kaspersky, the Russian computer security company, said Vista and programmes that come bundled with it, such as IE7 and Windows Media Player, would inevitably have vulnerabilities.
“Vista does do some things that make it more secure – [but] it’s not a safe house,” he said.