First Exploit Of Windows Vista Spotted

Proof-of-concept code for an unpatched vulnerability in all supported versions of Windows, including Vista, has gone public, prompting alerts from security vendors and a warning from its Russian discoverer that the flaw may be dangerous.

It is the first Windows Vista exploit made public since the operating system was released to volume license customers Nov. 30.

According Symantec and eEye Digital Security, the bug is a memory corruption vulnerability that pops up when the MessageBox function is called; eEye pegged the threat as "medium," while Symantec labeled it as a "privilege escalation," a type of threat generally considered low on the security scale. An attacker would need authorized access to a PC to exploit the bug.

The code first showed up on a Russian hacker site, and was subsequently posted to milw0rm.com.

Mike Reavy, program manager with the Microsoft Security Response Center, acknowledged that the team was "closely monitoring" the situation even as the holidays approached.

"Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings," Reavy wrote on the center's blog early Friday.

Windows 2000 SP4, Windows XP SP1 and SP2, Windows Server 2003 SP1, and Windows Vista are at risk, Reavy added.

The Russian researcher who first reported the bug to Microsoft on Dec. 16, however, observed that the vulnerability may be more dangerous than the "Less critical" rating that Danish bug tracker Secunia assigned. "There is potential remote exploitation vector if some service uses user-supplied input for MessageBox() function," wrote "ZARAZA U 3APA3A" on the Full Disclosure security mailing list.

Reavy downplayed the Vista-is-vulnerable angle. "While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date," he said. Microsoft has touted Vista, which released to corporations late last month and will debut Jan. 30 in consumer PCs, as significantly more secure than earlier versions of Windows.

Reavy also recommended users turn on a firewall, apply all Microsoft security updates, and install and/or update antivirus and anti-spyware software to protect their PCs.

Additional information on the threat will be posted to the center's blog, or if necessary, in the form of a security advisory, the mechanism Microsoft uses to inform users of possible defensive workarounds in lieu of, or prior to, a security update.