Microsoft has confirmed that Vista can be affected by malware from 2004, but argues this is not a flaw in the operating system.

Security vendor Sophos reported last Thursday that Microsoft's Vista is vulnerable to at least three pieces of widespread malware, two of which date back to 2004. At least three well-known internet worms -- labelled Stratio-Zip, Netsky-D and MyDoom-O by Sophos -- are able to execute on the operating system, according to Sophos.

However, because these attacks rely on user interaction to execute the code, Microsoft has denied this is a flaw. Microsoft said that these attacks rely on social-engineering techniques to be successful.

"Microsoft is aware of a report by Sophos that claims variants of existing malware may affect users running Windows Vista," the software giant said in a statement. "Based on our initial investigation, Microsoft can confirm that these variants do not take advantage of a security vulnerability, rather they rely on social engineering to infect a user's system."

Social engineering relies on tricking users into executing malicious code themselves -- a user has to open an infected attachment on an e-mail for these worms to infect the system. Windows Mail Client -- the Vista replacement to Outlook -- will block the worms, but businesses running third-party e-mail clients such as Lotus Notes, or webmail such as Yahoo or GoogleMail, could be vulnerable to social-engineering attacks.

Microsoft stopped short of blaming third-party e-mail clients for the problem, but said that User Account Control (UAC) -- which limits users' ability to install applications unless they have administrator privileges -- can "help to provide better protections". IT managers can run Vista end-user accounts with limited "standard user" privileges, rather than administrator privileges. Users are also given security prompts when attempting to run executable code.

"In those cases where other e-mail clients may not have made the same aggressive security design decisions as Microsoft did with Windows Mail Client, other protections such as UAC can apply still to help provide better protections against email-based social-engineering attacks," Microsoft's statement said.

Continue At Source