Are all Windows Vista vulnerabilities going to take over three months to be resolved? That is a bit harsh, but just let me explain. It will all make sense in the end, just bear with me. What I want to focus on are two critical vulnerabilities impacting Windows Vista. The first is the Windows Animated Cursor Handling flaw, the second is the MsgBox (CSRSS) Remote Code Execution Vulnerability.

Both have been reported to Microsoft all the way back in December 2006. In this context, Microsoft thanked Alexander Sotirov of Determina Security Research for reporting the Windows Animated Cursor Remote Code Execution Vulnerability and Tim Garnett of Determina Security Research for reporting the MsgBox (CSRSS) Remote Code Execution Vulnerability. So Determina was at the source of the security updates Microsoft made available on April 3 and 10 patching the two critical vulnerabilities impacting Windows Vista.

As far as the Windows Animated Cursor Handling flaw is concerned, I have already tackled the subject, but the Message Box vulnerability was not overlooked. In fact, when I had the chance to talk with Stephen Toulouse, senior program manager for the Trustworthy Computing Group at the end of February, I specifically inquired about the MsgBox flaw. At that point, Microsoft was still investigating the issue.

Since December 2006 and April 2007, the MsgBox (CSRSS) Remote Code Execution Vulnerability has grown from a low severity rating vulnerability to a Critical level. Microsoft has also discovered to adjacent CSRSS vulnerabilities one that permits elevation of privileges and the other DoS attacks in the eventuality of a successful exploit. All three of them have been patched with Microsoft Security Bulletin MS07-021.