SAN FRANCISCO – Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the product that was released to corporate customers late last month.
A Russian programmer posted a description of a flaw this month that makes it possible to increase a user’s privileges on all of Microsoft’s recent operating systems, including Vista. Over the weekend, a Silicon Valley computer security firm said it had notified Microsoft that it had also found that flaw and five other vulnerabilities, including one serious error in the software code underlying the new Microsoft Internet Explorer 7 browser.
The browser flaw is particularly troubling because it means Web users could conceivably become infected with malicious software simply by visiting a booby-trapped site. That would make it possible for an attacker to inject rogue software into the Vista-based computer, according to executives at Determina, a company based in Redwood City, California, that sells software intended to protect against operating system vulnerabilities.
Determina is among a group of companies that pore over the technical details of software applications and operating systems looking for flaws. When flaws in Microsoft products are found, they are reported to the software maker, which produces fixes called patches.
Despite Microsoft assertions about the improved reliability of Vista, many in the industry are taking a wait-and- see approach.
Microsoft’s previous operating system, Windows XP, required two “service packs” issued over a number of years to improve security substantially, and new flaws are still routinely discovered by outside researchers.
On Friday, a Microsoft executive posted a comment on a company security information Web site saying the company was “closely monitoring” the vulnerability described by the Russian Web site. It permits the privileges of a standard user account in Vista and other versions of Windows to be increased, permitting control of all of the operations of the computer.
In Unix and modern Windows systems, users are restricted in the functions they can perform, and complete power is restricted to certain administrative accounts.
“Currently we have not observed any public exploitation or attack activity regarding this issue,” wrote Mike Reavey, operations manager of the Microsoft Security Response Center. “While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date.”
On Saturday, Nicole Miller, a spokeswoman for Microsoft, said the company was investigating the reported browser flaw but was not aware of any attacks attempting to exploit the vulnerability.
Microsoft has spent millions of dollars branding the Vista operating system as the most secure product it has ever produced, and it is counting on Vista to help turn the tide against a wave of software attacks now plaguing Windows-based computers.
Vista is critical to Microsoft’s reputation. Despite an almost four-and-a-half- year campaign on the part of the company, and the best efforts of the computer security industry, the threat from harmful computer software continues to grow.
Although Vista, which will be available on consumer PCs early next year, has been extensively tested, it is only now being exposed to the challenges of the open Internet.
“I don’t think people should become complacent,” said Nand Mulchandani, a vice president of Determina. “When vendors say a program has been completely rewritten, it doesn’t mean that it’s more secure from the get-go. My expectation is we will see a whole rash of Vista bugs show up in six months or a year.”
The Determina executives said that by itself, the browser flaw that was reported to Microsoft could allow for the theft of password information or the use of one computer to attack others.
One of the principal security advances of Internet Explorer 7 is a software “sandbox” intended to limit damage even if a malicious program is able to subvert the operation of the browser.
Fuente: International Herald Tribune