Windows Vista, the new computer operating system that Microsoft Corp. is touting as its most secure ever, contains a programming flaw that might let hackers gain full control of vulnerable computers.
Microsoft and independent security researchers, however, tried to play down the risk from the flaw, which was posted on a Russian site recently and was apparently the first affecting the version of Vista released to larger businesses in late November.
The Redmond, Wash.-based software company said it was investigating the threat but found so far that a hacker must already have access to the vulnerable computer in order to execute an attack.
That could occur if the hacker was actually sitting in front of the PC or got the computer's owner to install rogue software, said Mikko Hypponen, chief research officer for Finnish security research company F-Secure Corp.
"The bottom line is you couldn't use a vulnerability like this to write a worm or hack a Vista system remotely," Hypponen said Tuesday. "It only has historical significance in that it's the first reported vulnerability that also affects Vista. It's a nonevent in other ways."
Attackers with low-level access privileges on a vulnerable machine could theoretically use the flaw to give themselves more access, ultimately gaining systemwide control, Hypponen said.
The flaw affects older Windows systems as well, and Hypponen said vulnerabilities like those were quite common and could be fixed with a software patch, which Microsoft releases on the second Tuesday of each month except for the most serious threats. No one is known to have launched an attack by exploiting the flaw, Hypponen said.
In a posting on Microsoft's security response Web journal, Mike Reavey, a senior security manager, said he remained confident that "Windows Vista is our most secure platform to date."
Vista, the first major Windows upgrade since Windows XP in 2001, was made available Nov. 30 to businesses that buy Windows licenses in bulk. Consumers generally won't be able to get Vista until Jan. 30.
In trying to improve security, Microsoft redesigned its flagship operating system to reduce users' exposure to destructive programs from the Internet. But most security researchers believe a complex product like Vista can never be error-free, so it was a matter of time before someone discovered a security vulnerability.
Microsoft shares rose 35 cents to $29.99.