Microsoft has announced on its security web site that it has "no security bulletins to release as part of the monthly release cycle for December". While this will sound positive to anyone not aware of the spate of recent vulnerabilities, the truth is that Microsoft has simply not found a quality cure in time for multiple recently discovered holes.
It has said it is still investigating the issues and doesn`t have a patch prepared for December. "It is not that we are not doing anything, it`s just that we don`t have a patch ready in the pipeline," said Iain Mulholland, security program manager for Microsoft, in reports.
Mulholland added that Microsoft is focusing on increasing the quality of its patches, and that has had an effect on the release timing. Colin Erasmus, lead for security at Microsoft SA, says Microsoft does not want to be in the position (in which it has recently found itself) of having to re-patch.
Indications are also that should a critical vulnerability (and a fix) arrive, there may well be patches later on this month. "We have committed to a monthly cycle, but will not necessarily issue on the given day [if a patch is not available, or no vulnerabilities exist]," Erasmus adds. "We may issue outside the pre-arranged day [every second Tuesday of the month] if the flaw is critical and a patch exists."
Unsolved mysteries
A roundup of recent vulnerabilities without fixes late in November show several holes in Microsoft`s Internet Explorer that, when used together, could allow an attacker to execute malicious code on a user`s PC.
Researcher Liu Die Yu, who posted the information on public security messaging boards, reported the flaws. Users are advised to switch off active scripting in Internet Explorer until a patch becomes available, or to use a non-IE browser.
Microsoft at the time reportedly said it was investigating the issue, and "may issue a fix as part of its monthly patch release, or separately, depending on the severity of the problem".
All new problem
Meanwhile, CNet reports, a research company has warned that an attacker could use a recently patched flaw to create a worm similar to SQL Slammer, though even quicker in its propagation.
Core Security Technologies discovered that the Windows Workstation vulnerability announced by Microsoft last month could be exploited using the same type of data used by the SQL Slammer worm. An attacker doesn`t have to individually address computers on the network, but can broadcast an attack. Such a tactic could create a worm that spreads faster than SQL Slammer.
"We believe these new attack vectors make the vulnerability even more dangerous and critical as the proposed workarounds are not sufficient to close them and particularly because they outline a very plausible scenario for a highly efficient worm," Ivan Arce, chief technology officer for security software maker Core Security Technologies, reportedly said.
Share
