I had a chance to get some inside details about the security in Windows Vista directly from Microsoft via an email interview and one of the aspects that I addressed was the issue related to the Client Server Run-Time Subsystem. This is a Vista vulnerability that has gone unpatched since December 20, 2006, so in a sense, this is the two months anniversary. Microsoft has issued an official confirmation of the MessageBox vulnerability on December 22, and then it all went quiet.

According to Stephen Toulouse, senior program manager for the Trustworthy Computing Group the vulnerability is still under analysis. "The MSRC is currently investigating this vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."

Toulouse additionally revealed that as of February 19th, the MessageBox issue is still the only publicly confirmed vulnerability in Windows Vista. Microsoft pointed to Windows Server 2003 as an illustrative exampleof the level of security that Vista will deliver.

"As I have mentioned before, no software is 100% secure. Security issues will exist even with more secure operating systems because the threat bar will continue to be raised. Hackers continually become more aggressive and that is why Microsoft has made Windows Vista more resilient across multiple layers and applied defense-in-depth measures to help protect users from vulnerabilities," Toulouse added.

Just keep your eyeballs glued to Softpedia. The rest of the interview drops by the end of this week.