Original URL: http://www.theregister.co.uk/2008/01/08/microsoft_january_patch_release/

Microsoft plugs 'critical' hole in Vista

'Secure Development Lifecycle' only goes so far

By Dan Goodin

Posted in Security, 8th January 2008 19:58 GMT

Microsoft on Tuesday issued two security updates, one of them rated critical that fixes nasty bugs in Windows Vista that could allow an attacker to gain complete control over a user's machine.

The patch, which also applies to the XP, 2003 Server and 2000 versions of Windows, plugs two holes in the way the operating systems process Transmission Control Protocol/Internet Protocol (TCP/IP). Attackers could exploit them to remotely execute malicious code without requiring any user interaction.

Windows Vista was the first OS to be spawned from Microsoft's Security Development Lifecycle, a process designed to produce more secure products. The bugs addressed by Microsoft Security Bulletin MS08-001 are evidence that the program doesn't always work as advertised. The vulnerabilities are rated "critical" in Vista and XP. By contrast, they are described as only "moderate" in Windows 2000 and "important" in Windows 2003.

Redmond issued a separate patch for 2000, 2003 and XP versions of Windows for a bug rated "important." It affected the Windows Local Security Authority Subsystem Service (LSASS) and allowed attackers to run arbitrary code with elevated privileges. Vista is not susceptible. ®