On December 15, 2006, Proof-of-Concept code was published for a zero-day Windows Client/Server Runtime Server Subsystem (CSRSS) vulnerability. As early as December 22, the Redmond Company was informed of the issue and has began working on a patch. You can read additional information as well as limited technical details related to this vulnerability here.

"Aside from discussing the holidays, the reason I am dropping in on the blog is that right now we are closely monitoring developments related to a public posting of proof of concept code targeting an issue with the Client Server Run-Time Subsystem. The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems," stated Mike Reavey, security program manager for Microsoft.

According to Microsoft's perspective based on a preliminary analysis of the zero-day vulnerability, a successful exploit via the CSRSS flaw depends on the attacker having already authenticated access to the target system. Although the vulnerability is not limited to Windows Vista, the security community has labeled it as a minor threat.

"Currently we have not observed any public exploitation or attack activity regarding this issue. While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date. As always, we here at the MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software," added Reavey.

In this context, Microsoft informed that the holiday season will have no impact on the company's work to produce a security update for the CSRSS vulnerability. Considering that the Redmond Company has not even detected limited exploit attempts related to the flaw, a patch addressing the flaw will most likely be released on January 9, 2007.

"Regardless of it being the holiday season the MSRC will be monitoring overall threat conditions for this and any other issue reported to us. If we do see anything that we believe puts Microsoft customers at risk, or significant new developments, we will update everyone through our standard mechanisms," concluded Reavey.