Less than a month after the Windows Vista operating system shipped to businesses, Microsoft has confirmed that a flaw in the software appears to allow attackers to mount a privilege escalation attack.

A brief analysis posted by security firm Symantec, the owner of SecurityFocus, labeled the flaw as a double-free vulnerability caused by the way the Windows operating system handles error messages to be displayed. The vulnerability in the Client Server Run-Time Subsystem affects Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista, according to Microsoft.

"Currently we have not observed any public exploitation or attack activity regarding this issue," Mike Reavey, security program manager for Microsoft's Security Response Center, said in a statement on the MSRC's blog. "While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date."

Windows Vista marks the culmination of several security initiatives begun at Microsoft after the Code Red and Nimda worms--and, later, the Slammer worm--poked holes in the software giant's security reputation. Vista locks down older code and critical components, focuses on reducing the privilege of noncritical code, and adds more security management features to help users make the right decisions regarding system protection.

The operating system will be generally available to consumers at the end of January.