iTechNote

Microsoft Windows Vista is not as secure as what Microsoft claims. According to a report in New York Times on Christmas day, a number of flaws have been discovered on the brand new OS.

On Dec. 15, a Russian programmer posted a description (in Russian) of a flaw that makes it possible to increase a user’s privileges on all of the company’s recent operating systems, including Vista. The flaw affects csrss.exe, which is the main executable for the Microsoft Client/Server Runtime Server.

Furthermore, computer security company Determina notified Microsoft on Dec. 20 of five more vulnerabilities it had identified — four affecting Vista and earlier versions of Windows, and one affecting Microsoft’s Exchange e-mail server.

Two of the flaws catch the most eyeballs:

• Attackers could send a malicious program such as an e-mail attachment that, if opened, could gain “administrator” privileges on the computer. In other words, even if you are running as less privileged user, the malicious program could escalate your privilege to the higher level.
• Attackers could craft Web pages that would run malicious code on computers that visit them.

New security features in Vista and IE7 keep the browser “in a sandbox” - effectively separated from the rest of the computer, so that malicious code from the Web would be confined to the browser. These flaws, if combined intelligently, could potentially break the new efforts of fixing the biggest mistake of Windows platform - integration of Windows desktop and Internet Explorer to hurt competitors - a failure.

Vista opens new dawn for security, a fresh target for underground hackers, who sell exploits for unpatched code execution flaws in the $20,000 to $30,000 range.

There is simply no way to build a bulletproof OS, not Microsoft, Apple or even Linux. The choice is yours. Here are a few suggestions:

• Stay with the latest version that the vendor put most resources.
• Choose an OS that is less hacker targeted, such as Linux.