It had to happen at some point. Proof that no operating system is invulnerable to attack (this includes you, Penguin lovers), Microsoft’s security Response team announced a new vulnerability with a proof of concept has been discovered for the Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems. This is the first vulnerability I’ve heard of on Vista. It’s a plain old elevation of privilege attack. It does require authenticated access to the targetted system.
Here’s the great news for Vista people. Vista is by far the most secure OS that Microsoft has released. Even if you are running as administrator and surfing the net, some dodgy code cannot install itself on your PC without your consent as long as you leave UAC running. UAC is worth keeping in this scenario. The logon script problem that I mentioned before would probably convince me to turn off UAC for ordinary user PC’s who run without admin privs – I don’t like the McGuyver fix for the problem all that much.
The Research team noted that this is a busy time of year for them. Lots of people in their Mom’s basements prefer to unleash their attacks at this time of year while IT staffs are winding down or are running on skeleton crews, if they are even it at all. If you do have an automated patching system, it might not be a bad idea to make sure the necessary staff are cross trained to cover for the holidays. They should also subscribe to the security alert emails so that they are alerted to any actions that should be taken.