A particularly nasty exploit for Windows has been released, this one affecting all versions of Windows including Vista. The flaw, which originates in the message box API that is universal among Windows, can be used to escalate privileges on a machine for someone or for a piece of software, allowing them to do pretty much anything they want. It requires local access to the machine, or at the very least, someone on the local machine to run a program:
"The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems," Reavey said in an entry posted late Dec. 21 on the MSRC blog.
The exploit hasn't been verified by any 3rd parties as of yet, though it is being investigated and likely a 3rd party patch will surface soon. Given the predictable nature of Microsoft's patch cycle, it could be weeks or even months before an official fix is published. I look forward to learning more about it.