Kingcope, a security researcher that has started an exploit selling service, has disclosed a new vulnerability in Windows Mail. Windows Mail is Windows Vista replacement for Outlook Express.

Symantec’s DeepSight network, which issued a warning about the vulnerability in Windows Mail early this morning, upped the threat rating from 6.8 to 7.5 in a follow-up alert after it confirmed that the bug was remote code exploitable. That means an attacker could introduce his or her own malware onto a compromised computer. Windows Mail is the successor to Outlook Express, the entry-level e-mail app that’s been bundled with the operating system since the Windows 95 edition.

By crafting an e-mail message with a link to a malicious file — one hosted on a remote Internet server, say — and duping the recipient to click on the link, an attacker could infect a Vista PC with software that steals identities or with a backdoor Trojan horse.

In some cases, all that’s required is that the user clicks on the link, said Symantec. “An attacker can deliver an e-mail message containing a malicious link that references a local executable,” the DeepSight alert read. “If the victim clicks on this link, the native program is executed with no further action required. For instance: An attacker could achieve the execution of the local file ‘winrm.cmd.’”

If run, “winrm.cmd” — the Windows Remote Management command-line tool — would give an attacker complete access to a PC.

Microsoft is down playing the potential risk but this is just another chink in armour. Vista’s security has hardly been fool proof and as more security vulnerabilities are found in the new OS, security experts are questioning reports that Microsoft’s new OS is the most secure system yet.

I said it before and I’ll be saying it again…reinstall XP, or if you are due for a new computer try to get one with XP, buy a Mac, or try Ubuntu .

[Exploit-for-sale hacker pins bug on Vista's e-mail app]

[tags]Microsoft, Microsoft Vista, Microsoft Windows Vista, Windows Vista, Vista[/tags]