Vista Defender flaw creates security risk

Security firm PatchLink urges managers to patch Vista Windows Defender Malware Protection Engine

Microsoft Vista is vulnerable to being taken over by hackers if users do not patch its flawed Windows Defender Malware Protection Engine (MPE), security vendor PatchLink warned.

In a further blow to Microsoft's security credentials, the software giant revealed it was also investigating reports of a zero-day flaw in Office 2000 and Office XP. Microsoft admitted that it might need to release an out-of-cycle security update to fix the hole.

"Vulnerabilities targeting Microsoft applications indicate that hackers are focusing less on attacking the operating system, but are exploiting the application layer,” said PatchLink's European managing director, Alan Bentley.

The patch for MPE was one of six critical patches issued by Microsoft in their monthly patch bulletin for February. The five other critical patches addressed flaws in the HTML help ActiveX control, Microsoft data access components, and Microsoft's Office and Word applications. There was also a critical cumulative security update for Internet Explorer.

The systems affected by the embarrassing MPE flaw were Windows Live OneCare, Antigen for Exchange 9.x, Antigen for SMTP Gateway 9.x, Windows Defender (which is present in Vista), and Forefront Security which protects Exchange Server and SharePoint.