Microsoft today said it was investigating reports of proof-of-concept (PoC) code exploiting a vulnerability in Windows.

The PoC is targeting a zero-day bug in the client server run-time subsystem (CSRSS), Mike Reavey, a security program manager, said today on the Microsoft Security Response Center blog.

Vulnerability tracking firm Secunia rated the bug "less critical" and said it could be exploited by an attacker to gain escalated privileges and execute arbitrary code. Meanwhile, the French Security Incident Response Team said the flaw carries a "moderate risk."

The flaw is caused by a "double-free error in the handling of HardError messages within WINSRV.DLL," according to a Secunia advisory.

As a workaround, administrators should grant only trusted users access to the CSRSS, the advisory said.

No public attacks are exploiting the vulnerability, Reavey said.

The PoC could be run on Windows 2000, Windows Server 2003, Windows XP and the recently released Vista. Reavey defended the new operating system, barely a month old.

"While I know this a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date," Reavey said.

Still, users should be security minded, he said.

"As always, we here at MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software," he said.