A security vendor based in Aliso Viejo, California has found a vulnerability with a "medium" security rating in Microsoft"s Windows Vista. According to Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, the flaw is a privilege escalation bug and the sole reason it got a "medium" was because it doesn"t enable remote control of the system. The flaw, which eEye first found on January 9 and reported to Microsoft on January 19, is one of the first to be found in the brand new operating system. Vista wasn"t released to the public until January 30. The vulnerability, which is similar to a buffer overflow problem, enables regular users to grab more power on the system:
"A main security feature added to Vista is that regular users have a lower level of privileges. They have fewer privileges in Vista than they did in Windows XP. When regular users are running the operating system, they have regular user-level access, but with this vulnerability, you can elevate yourself to system-level access. Any normal user can do anything they want to the system," says Maiffret.