
The bug detected in Vista is due to a problem with a component that does not validate user permissions correctly, which could be exploited by an attacker to steal personal data from the user’s computer, according to an advisory on FrSirt’s website.
The error affects Windows Vista, XP, 2000 and Windows Server 2003.
Microsoft touted Vista as its most secure platform to date and implemented a plethora of new security features, including IE7 protected mode and phishing filter, user account control, improved firewall, parental control and Windows defender.
The IE7 flaw could be exploited by malicious websites to create spoofs and launch phishing attacks, the alert said. This is caused by an error in the browser when handling some “onunload” events, which could be used by hackers to mimic the displayed address bar and trick the user into visiting a malicious web page, the security company claim. The remotely exploitable vulnerability also affects IE6.
Microsoft has yet to release any patches for the weaknesses and did not respond to a request for comment.