Microsoft can't defend Windows Vista

Windows Defender for Vista has failed miserably when it comes to protecting users of Microsoft's latest operating system from a very basic attack.

The penetration of Windows Vista is increasing but all the signs point to users of Microsoft's new OS facing a very scary few months when it comes to security issues.

Vista has only been on the shelves for about a month but big businesses have been playing with the final release since December 2006. Microsoft didn't find it necessary to patch the new operating system in its most recent batch of patches, which were issued last week.

However, the February patch Tuesday did fix a critical vulnerability in Windows Defender, which is a security tool that, according to Microsoft's Web site, is designed to protect Vista from "pop-ups, slow performance, and security threats caused by spyware and other unwanted software".

Because of the flaw in Defender, a specially crafted PDF document e-mailed to a users' PC could result in remote code execution as soon as that file is scanned by Microsoft's security tool.

According to a security bulletin published by Microsoft: "An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file".

The situation is likely to get a lot worse before it gets better.

Last December I was fortunate enough to have a lunch with David Perry from Trend Micro, who described a "sweet spot" for attacking Windows Vista, which will appear once there is a critical mass of Vista users but before Microsoft releases the first service pack.

According to various sources, SP1 for Vista will not arrive till the second half of this year.

This means that early adopters of Vista are likely to face a turbulent few months as newly discovered vulnerabilities are exploited in both the operating system and its applications.