Two vulnerabilities have been uncovered in Microsoft’s Windows Vista operating system (OS) and Internet Explorer 7 (IE7).
Both flaws, reported by security researchers at FrSIRT (the French Security Incident Response Team), are rated as "low risk," but are likely to cause embarrassment to the software giant as they affect the latest versions of its OS and web browser.
The Vista bug is within a component that does not validate user permissions correctly, which could be exploited by an attacker to steal personal data from a PC, according to a FrSIRT advisory. The error affects Windows Vista, XP, 2000 and Windows Server 2003.
Microsoft has touted Vista as its most secure platform to date with a plethora of new security features, including IE7’s protected mode and phishing filter, user account control, an improved firewall, parental controls and Windows Defender.
The IE7 flaw could be exploited by malicious websites to create spoofs and to launch phishing attacks, according to the alert. The flaw is caused by an error in the browser when handling some "on unload" events, which could be used by hackers to mimic the displayed address bar and trick the user into visiting a malicious web page, according to the information security organization. The remotely exploitable vulnerability also affects IE6.
Microsoft has yet to release any patches for the weaknesses and did not respond to a request for comment.