computerwoche.de

Archiv

Was that a Vista fix released on Patch Tuesday?

15.02.2007
Users can chalk up a critical vulnerability -- now patched -- in Windows Vista, a Microsoft security manager said Wednesday. Though if people want to get picky, the fix for the company's malware scanning engine isn't really for a flaw in the operating system's core code. And therein lies a debate.

The question of whether Vista was patched against its first remote code vulnerability may be academic in the long run, but researchers and customers alike are keeping close tabs on the operating system for the first confirmed vulnerability. Microsoft has repeatedly touted Vista as its most secure version of Windows ever.

Tuesday, it released to fix 20 vulnerabilities, 11 of them pegged as "critical" in the company's four-step scoring system. One of the bulletins, MS07-010, patched a critical bug in the malware scanning engine used by Microsoft's security lineup, including Windows OneCare, Windows Defender and the Forefront Security and Antigen products.

Windows OneCare and Windows Defender run on Vista client systems; Defender is in fact built into Vista.

"The underlying component [of Windows Defender] does ship with Vista," acknowledged Mark Griesi, security program manager for the Microsoft Security Response Center (MSRC). "That's the correlation people are drawing. The vulnerability is in the malware engine, which is part of Defender, which is part of Vista. So, yes, you can say that Vista [itself] is vulnerable.

"But is it a direct vulnerability in Vista? I wouldn't characterize it like that," he added.