Dangerous flaws crop up in Vista

Two different sites report security holes in new OS that together could allows hackers to install malware and take over users' computers.

Getting all excited to deploy Vista in your agency? You might want to think again. The New York Times reports that researchers and hackers are finding serious problems with "the last Windows."

Among the flaws: one described by Russian programmers that allows hackers to increase a user’s privileges on all of the company’s recent operating systems, including Vista. Another major flaw was found by the firm Determina in the new Internet Explorer 7, which could be a gateway for infecting user machines with malware if they visit certain sites. 7 browser.

“I don’t think people should become complacent,” said Nand Mulchandani, a vice president at Determina. “When vendors say a program has been completely rewritten, it doesn’t mean that it’s more secure from the get-go. My expectation is we will see a whole rash of Vista bugs show up in six months or a year.”

The Determina executives said that by itself, the browser flaw that was reported to Microsoft could permit damage like the theft of password information and the attack of other computers.

Theoretically, IE7 is a sandbox that prevents attacks on Windows systems outside of the browser, even if the browser itself is compromised.

However, when coupled with the ability of the first flaw that permits the change in account privileges, it might then be possible to circumvent the sandbox controls, said Alexander Sotirov, a Determina security researcher. In that case it would make it possible to alter files and potentially permanently infect a target computer. This kind of attack has yet to be proved, he acknowledged.

Determina also discovered a bug that would make it possible for an attacker to repeatedly disable a Microsoft Exchange mail server simply by sending the program an infected e-mail message, the Times said.