Symantec continues its witch hunt with Windows Vista, and has made public a second report out of the three it has lined up on the subject of Microsoft's latest operating system. Available as yet only to Symantec customers and planned for a general public release prior to the Vista launching, the report focuses on the operating system's vulnerability to privilege-escalation attacks. Symantec experts have tested the User Account Control (UAC) security feature in Vista. UAC limits user privileges to a level inferior to administrator mode on a Vista machine in order to prevent and contain attacks and damage. This security setting contains vulnerabilities that could allow for a machine takeover via Internet Explorer 7. Such an attack would start with a specially crafted file posted on a malicious Web site that would exploit a UAC flaw though an ActiveX control.

"We discovered a number of implementation flaws that continued to allow a full machine compromise to occur. The triviality of this privilege escalation...foreshadows the grave difficulty that the Windows Vista security model will have enforcing the separation between low and medium integrity level under the same user account," stated Matthew Conover, principal security researcher at Symantec.

Representatives of the Redmond Company have responded to Symantec's reports indicating that Microsoft has already dealt with the issues presented by the online security company, and that it's hard at work to fix any eventual problems as they surface. Symantec's reports may also be a strategy to discredit consumer confidence in Microsoft's security capabilities as the software giant has recently entered the security market with OneCare.