Microsoft plugs 'critical' hole in Vista
Print story'Secure Development Lifecycle' only goes so far
Posted in Security, 8th January 2008 19:58 GMT
Free whitepaper – Vulnerability management buyer's checklist
Microsoft on Tuesday issued two security updates, one of them rated critical that fixes nasty bugs in Windows Vista that could allow an attacker to gain complete control over a user's machine.
The patch, which also applies to the XP, 2003 Server and 2000 versions of Windows, plugs two holes in the way the operating systems process Transmission Control Protocol/Internet Protocol (TCP/IP). Attackers could exploit them to remotely execute malicious code without requiring any user interaction.
Windows Vista was the first OS to be spawned from Microsoft's Security Development Lifecycle, a process designed to produce more secure products. The bugs addressed by Microsoft Security Bulletin MS08-001 are evidence that the program doesn't always work as advertised. The vulnerabilities are rated "critical" in Vista and XP. By contrast, they are described as only "moderate" in Windows 2000 and "important" in Windows 2003.
Redmond issued a separate patch for 2000, 2003 and XP versions of Windows for a bug rated "important." It affected the Windows Local Security Authority Subsystem Service (LSASS) and allowed attackers to run arbitrary code with elevated privileges. Vista is not susceptible. ®
Image spam: the threat returns
Jump start your Application Security initiatives
The shortcut guide to managing certificate lifecycles
Avoiding 7 common mistakes of IT security compliance
Email continuity
Google cloud told to encrypt itself
Buggy 'smart meters' open door to power-grid botnet
Chinese firm hits back at cyberspy claims
BlockMaster SafeStick hardware-encrypted USB drive