Does this mean Vista is basically XP in a tuxedo?
Microsoft Issues First Vista OS Patch Walaika K. Haskins, newsfactor.com
Wed Jan 18, 5:05 PM ET
Microsoft has issued a security patch for it's as-yet-unreleased operating system, Windows Vista. The patch, issued over the weekend, repairs the same graphics-rendering flaw discovered in Windows XP late last month.
Using the vulnerability, hackers could gain remote access to PCs and install malicious software on them. The flaw, which was called "extremely critical" by several security vendors, affects systems running Windows XP as well as Windows Server 2003.
Currently available to Microsoft developers and beta testers, the technology preview of Vista shared the same vulnerability found in XP. Vista is not slated to be released to the public until later this year.
Microsoft issued the patch for the Vista beta with a warning that the new operating system is vulnerable to the same remote-code execution flaw found in XP.
Widespread Flaw
The fix corrects how Windows Vista handles graphics in the Windows Meta File (WMF) format. While Windows contains routines for displaying these files, a lack of input validation in one of the routines could result in a buffer overflow that would subsequently allow hackers to run code from remote locations.
Graham Cluley, senior technology consultant with Sophos, said the WMF flaw is "extremely serious" and is actively being exploited by many hackers. One indication of the serious nature of the threat, according to Cluley, was one third-party researcher engineering and distributing his own patch while awaiting the security fix from Microsoft.
Another significant indicator was the January 6 release of an official patch from Microsoft, a full week before it was originally slated to be distributed to the public. Microsoft explained it had completed testing earlier than expected and that it was responding to customer requests to release the patch as quickly as possible.
"Now that an official patch is available and has been deployed by many people, we have seen a dramatic tail-off in attempts by criminals to make use of the vulnerability," Cluley reported. He added this recommendation: "Our advice to home users and companies is to waste no time applying this patch on their computer systems."
Better Late Than Never
The week-long wait from the January 6 patch release for Windows XP and Windows Server 2003 to last weekend's issuance of a fix for Vista is understandable, said Cluley, because Vista has not yet hit store shelves and it was not as high a priority for Microsoft engineers.
"It has obviously taken longer for Microsoft to release a patch for the WMF flaw on the Vista platform than current versions of Windows, but that's because Vista isn't yet released and it was a higher priority to protect the shipping versions of Windows," he said.
In the long run, Microsoft would have had to repair the problem anyway to avoid the kind of negative publicity that would hinder sales at the Vista launch, Cluley said.
"They were right to patch Vista, as it would be very poor publicity for the new operating system if it had eventually shipped with flaws that had been fixed in its predecessor months before," Cluley pointed out.
Other Priorities
Although Windows XP and other shipping versions of Windows are top priority for Redmond's engineers, Microsoft has announced that it is delaying the release of the third service pack for Windows XP. According to information posted on Microsoft's site, Service Pack 3 will not be released until the second half of 2007.
The 2007 date puts the introduction of the new service pack well beyond the planned launch of Windows Vista. The company has refused to enumerate what features and patches might be included in the upcoming service pack, but speculation has been running rampant since the release of Service Pack 2 in August 2004.
"We will be releasing another service pack for XP over the course of the product life cycle, and we are tentatively targeting the second half of 2007 for release," a Microsoft spokesperson was quoted in news reports as saying. "However, right now our priority is Windows Vista. We'll have more information to share about the next service pack for XP after Windows Vista ships."
Topic: Microsoft Issues Security Patch... Before OS is released (Read 2583 times)