Vista Flaws Leave Door Open for Hackers

For all the talk about safety and security as a foundational promise of Windows Vista, Microsoft's (Nasdaq: MSFT) new operating system, released to business users in late November, has already been found to contain several potentially serious vulnerabilities.

A programming flaw, thought to be the first identified in the new OS, could let hackers take full control of a computer running the software. It was recently disclosed on a Russian Web site.

Another flaw, which can be executed via Internet Explorer and Firefox Web browsers, can corrupt memory during handling of certain types of requests.

Yet another flaw has been identified in Microsoft Exchange. It allows anyone to shut down the Exchange server by sending a malformed e-mail . Though this flaw does not allow a remote attacker to take over the system, it does cause the mail server to crash.

Microsoft's Spin

Microsoft has seen its share of security flaws in its earlier operating systems, browsers and other products; however, the Vista flaw is a black eye on a new product that Microsoft spent years developing and has touted for its robust security features.

Microsoft said it is investigating the threat and so far has found that a hacker must already have access to a vulnerable computer in order to launch an attack.

"Currently, we have not observed any public exploitation or attack activity regarding this issue. While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date," said Mike Reavey, operations manager of the Microsoft security response center.

The Real Story

The relative impact on Vista users is small, according to most security researchers. The breaches don't seem to be critical, and the software is not widely deployed. Most corporations that are running Vista are in trial mode, and consumers won't have a chance to upgrade or buy new computers with Vista until January 30.

That means Microsoft still has time to make corrections before the product hits store shelves. Vista and other current-generation software offer the ability to self-update and apply any security patches during the installation process. The time to find issues with the program, however, is growing short.

News of a Vista flaw could hinder public perception, according to Enderle Group Principal Analyst Rob Enderle, and that's good news for antivirus software companies.

"It doesn't really matter if Vista is invulnerable or not. No product is invulnerable. If the buying public views the product as good enough -- much like Apple (Nasdaq: AAPL) users don't feel they need antivirus products -- then they won't buy antivirus products for Vista," Enderle told TechNewsWorld.

Security Firms' Stake

Security software firms, including McAfee and Symantec (Nasdaq: SYMC), do not want to see that happen.

"No company, from McAfee all the way to Kaspersky, can maintain revenue if folks who deploy Vista stop buying their products. Security firms are having a major coronary over that possibility," Enderle claimed. "The firms have been working pretty hard to try to find holes and create a viable threat."