Apparently, some researchers have discovered a major hole — more of a flaw, really — in Windows Vista. What makes this different than the usual patch-coming-Tuesday security issues is that it is based on a fundamental property of the Vista operating system.

In other words, fixing it could be impossible without a significant rewrite of Vista code.

Neowin.net has some more detail in an article “Vista’s Security Rendered Completely Useless by New Exploit.” Normally that’s hyperbole, but in this case there may be something to it.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista.

and

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren’t based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista’s fundamental architecture.

ZDNet wrote this:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

Perhaps even more interesting (if that’s the right word) is what well-known (and well-regarded) security researcher Dino Dino Dai Zovi said:

[S]ince these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments.

Dowd and Sotirov presented details of their findings and their exploit at the 2008 Black Hat security conference on Aug. 7, but not much more has come out.

Following on the heels of the major DNS exploit last week, it’s been a busy time for security folks….