With just over a month until Windows Vista launches to the general
public worldwide, security researchers at Determina reported late last
week that they had found six software bugs in the upcoming OS.
Microsoft says it's "closely monitoring" at least one of the reported
bugs, which is quite a bit more serious than the others.
The most troubling of the bugs, and the one that Microsoft is most
concerned about, is found in Microsoft Internet Explorer (IE) 7.0,
which ships as part of Vista. This bug, which was also separately
reported by a Russian programmer, could allow Vista users to become
infected by malware simply by navigating to a malicious Web site.
However, it's unclear whether Vista's numerous other security features
mitigate this type of attack.
"Currently we have not observed any public exploitation or attack
activity regarding this issue," Microsoft Security Response Center
Operations Manager Mike Reavey wrote in response to the issue.
However, given the schedule, Microsoft could easily fix this and any
other early Vista bugs before the system is even released to the
public. Vista, like its predecessors, includes Windows Update and
Automatic Updates components that help the system receive automatic
security patches online.
The problem, of course, is perception: After a five-year gestation and
billions spent for research and development, Microsoft has a lot
riding on Vista. If enough high-profile stories about Vista
vulnerabilities emerge, the firm runs the risk that consumers and
businesses will put off upgrading to the new system.
In related news, malicious hackers are apparently offering a $50,000
bounty to anyone willing to provide them with information about Vista
flaws. News of this bizarre offer was first reported by the CTO of
Trend Micro, who couldn't confirm the validity of the request.