Microsoft has just patched another critical hole in Vista that it knew about as long ago as last Christmas. The delay was similar to its lag in patching the serious (and heavily targeted) animated-cursor flaw I told you about last month.
The new problem involves the way that the OS’s Client/Server Run-time Subsystem (CSRSS) handles error messages, and it affects Windows 2000 SP4 and Windows XP too. This flaw may not be as severe as the cursor problem, as Microsoft says you’d have to perform certain unspecified “actions” on a malicious Web site before an assault could succeed. But if you were to get snared, an attacker could run any command or program on the victimized PC. Proof-of-concept code, which often presages attacks, is available, but no active attacks on this hole have been reported yet.
If you have Automatic Updates enabled, the fix should already be installed. Otherwise, make sure to get hold of it at Microsoft Technet.
Source: PC World