Windows Vista is still fresh on the shelves and Microsoft has patched the operating system with the February 2007 Security Bulletins release. However, there is an issue of nuance here. And
it depends on your perspective. The affected Windows Vista component is Windows Defender. The operating system has managed to make its way unscratched through the first monthly patch cycle, with the small exception of Windows Defender.
The fact of the matter is that Microsoft will argue that the vulnerability affects the Malware Protection Engine at a general level. But if you read between the lines, the critical vulnerability impacts Windows Defender. And the most relevant facet of this aspect is that Windows Defender is integrated by default in Windows Vista.
In fact, Microsoft has made it in such a way that users will not be able to uninstall Windows Defender. It can be turned off, but it cannot be uninstalled. And if Windows Defender is an integer part of the operating system, what about the vulnerabilities affecting it?
Considering that Windows Defender is a component of Vista, and that the users have little say in the matter, the vulnerability is also in Vista. Microsoft anti-spyware solution can be used as an attack vector to compromise the operating system.
Jim Allchin, ex Co-President, Platform and Services Division, responded in mid December to a Sophos test which concluded that Windows Vista could be compromised by existing malware. "If you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited (W32/Stratio-Zip, W32/Netsky-D and W32/MyDoom-O)," Allchin said at the time. Obviously, that is not the case, when you take into consideration Windows Defender.