Microsoft on Tuesday issued two security updates, one of them rated critical that fixes nasty bugs in Windows Vista that could allow an attacker to gain complete control over a user's machine.

The patch, which also applies to the XP, 2003 Server and 2000 versions of Windows, plugs two holes in the way the operating systems process Transmission Control Protocol/Internet Protocol (TCP/IP). Attackers could exploit them to remotely execute malicious code without requiring any user interaction.

Windows Vista was the first OS to be spawned from Microsoft's Security Development Lifecycle, a process designed to produce more secure products. The bugs addressed by Microsoft Security Bulletin MS08-001 (http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx) are evidence that the program doesn't always work as advertised. The vulnerabilities are rated "critical" in Vista and XP. By contrast, they are described as only "moderate" in Windows 2000 and "important" in Windows 2003.

Redmond issued a separate patch for 2000, 2003 and XP versions of Windows for a bug rated "important." It affected the Windows Local Security Authority Subsystem Service (LSASS) and allowed attackers to run arbitrary code with elevated privileges. Vista is not susceptible. ®

Related stories

MS readies Vista code injection risk fix (4 July 2008)
http://www.theregister.co.uk/2008/07/04/ms_july_patch_tuesday_pre_alert/
ActiveX update stars in Patch Tuesday critical quintet (9 April 2008)
http://www.channelregister.co.uk/2008/04/09/april_patch_tuesday/
MS keeps admins busy with critical Vista patches (4 April 2008)
http://www.theregister.co.uk/2008/04/04/ms_qt_opera_patch_summary/
Attackers hose down Microsoft's Jet DB Engine (26 March 2008)
http://www.channelregister.co.uk/2008/03/26/jet_database_engine_security_flaws/
Critical Outlook and Excel bugs star in March Patch Tuesday (12 March 2008)
http://www.theregister.co.uk/2008/03/12/march_patch_tuesday/
Microsoft dishes out six critical updates (13 February 2008)
http://www.theregister.co.uk/2008/02/13/patch_tuesday_february/
Firefox updates, blitzes trio of critical bugs (8 February 2008)
http://www.theregister.co.uk/2008/02/08/firefox_update/
Will Microsoft parachute Windows 7 in early? (23 January 2008)
http://www.theregister.co.uk/2008/01/23/windows_7_release_2009/
SMBs grasp Vista nettle (15 January 2008)
http://www.channelregister.co.uk/2008/01/15/microsoft_windows_vista_smbs/
Fully patched PCs are a rare breed (9 January 2008)
http://www.theregister.co.uk/2008/01/09/secunia_insecurity_survey/
MS preps critical Vista patch for Tuesday (4 January 2008)
http://www.theregister.co.uk/2008/01/04/ms_patch_tuesday_pre_alert/
Beware of pickpockets and malware-laced banner ads (4 January 2008)
http://www.channelregister.co.uk/2008/01/04/malware_laced_banners/
IE's Acid trip back to conflict (24 December 2007)
http://www.theregister.co.uk/2007/12/24/ie8_acid2_standards/
Microsoft spits out final XP service pack, beta version (19 December 2007)
http://www.channelregister.co.uk/2007/12/19/microsoft_windows_xp_sp3_beta/
Cybercrooks lurk in shadows of big-name websites (12 December 2007)
http://www.theregister.co.uk/2007/12/12/phishing_redirection/
Three critical fixes star in Patch Tuesday update (12 December 2007)
http://www.theregister.co.uk/2007/12/12/dec_black_tuesday_update/
Media player users beware: more vulns ahead (10 December 2007)
http://www.theregister.co.uk/2007/12/10/3ivx_mp4_vuln/