The carefully crafted image of Windows Vista as the most secure operating system of all time is beginning to take a beating.
For the second time this month, Microsoft has shipped a security bulletin with patches for a “critical” Vista vulnerability that puts millions of users at risk of code execution attacks.
The first time was the out-of-band fix for the animated cursor flaw.
The update — MS07-021 — is one of five bulletins released in Microsoft’s scheduled batch of patches for April.
The remote code execution flaw that dinged Vista is an error in the way the Windows Client/Server Run-time Subsystem (CSRSS) process handles error messages. An attacker could exploit the vulnerability by constructing a specially crafted application that could potentially allow remote code execution.
In all, the MS07-021 update fixes three different CSRSS bugs, all affecting Vista.
In retrospect, the touting of Vista security was a poor marketing play because while Vista is better than Windows XP, there was never any chance that users (or Microsoft) were going to be freed of the security patching follies and that is all that really counts. Admittedly, there really wasn’t much else to say about Vista besides the improved security and the Aero “user experience” for those folks not sucked into Vista Home Basic and it was a pleasant dream while it lasted.