January 03, 2007, 7:18 PM — Windows Vista. It hasn't even hit the streets yet, and the first hack is already upon us. Corporations, already reluctant to roll out any operating system upgrade until at least the first service pack is available, are no doubt becoming even more skittish. That's not a good way to start a new year.
The flaw, which is being downplayed by Microsoft, is known as a "privilege escalation attack." Simply put the flaw allows an intrepid hacker to increase users' privileges on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista. News reports attribute the discovery to a "Russian programmer." As if I didn't already get enough spam from, uh, former Iron Curtain locales. According to the Associated Press, several other vulnerabilities have likewise been discovered, including a potentially significant flaw in the new Internet Explorer 7.
This all comes just a few weeks after Microsoft's top security people spent hours explaining to me why Vista is the most secure operating system ever, designed and built in new ways and tested to death by dozens of the world's top security experts. All at a cost of hundreds of millions of dollars and pushing back its release by at least a year.
But read beyond the headline and the story is not exactly what it seems. Sure, there's a vulnerability. That shouldn't come as a surprise, after all, no software is perfect. And I do agree that we'll see drastically fewer flaws in Vista and IE7 than we did in XP and IE6.
The issue, as I see it, is one, as the NTSB might put it, of "pilot error." To quote a line from the A.P. story, "users could become infected with malicious software simply by visiting a booby-trapped site." In other words, if you let the barbarians through the gate, you've done this to yourself. And in still other words, motion-control driveway floodlights and hardened-steel locks throughout your home are worthless if you throw open the front door, curtsy, and let the burglars waltz right in.
In a posting on the Microsoft Security Response Center Blog, the company says "initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system." That fact alone certainly diminishes the likelihood of a successful attack. But the blog posting goes on to advise "as always, we here at the MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software." That, of course, is a good idea that is followed all of the time by large corporations, much of the time in homes, and, alas, only some of the time in cash-strapped tech-oblivious small businesses.