News
News
3/8/2007
04:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Skips Patch Release, Leaves Nine Outstanding Bugs

For the first time since September 2005, Microsoft skips a monthly Patch Tuesday release.

With nine outstanding software bugs, Microsoft announced on Thursday afternoon that it won't be releasing any patches this month.

It's the first time the company hasn't gone through with its monthly Patch Tuesday release since September 2005. The security update was scheduled to be released Tuesday, March 13.

"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges," said a Microsoft spokesman in an e-mailed response to InformationWeek. "Microsoft continues to investigate potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively and comprehensively fix vulnerabilities is an extensive process involving a series of sequential steps. All updates need to meet testing standards in order to be released. This ensures that our customers can confidently install these updates in their environment."

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, says he's surprised that Microsoft won't release any patches this month since there are nine known vulnerabilities affecting Microsoft Office and Explorer.

"It's kind of funny with all the outstanding bugs today, and they have nothing to offer," he says. "I would expect some help to come."

Ullrich says the most critical known bug is in Microsoft Word 2000 and Word XP. The bug, which is being exploited, allows hackers to remotely control infected machines. Ullrich notes that the vulnerability has been publicly known since Feb. 9. "I would have expected it to be fixed this month," he adds.

Dan Hubbard, VP of security research at Websense, agrees with Ullrich that the Word vulnerability, which is a buffer overflow problem, is the most serious of all the outstanding Microsoft bugs. He says they've seen the bug being exploited in small, isolated cases. As serious as the flaw is, security experts say it hasn't been a widespread problem. Last month, InformationWeek reported that hackers used the then-unknown vulnerability to launch an attack against two employees at the same company.

With this vulnerability, a user has to open a malicious Office file attachment, such as a Word document, in an e-mail. If the file is opened, a Trojan or bot is downloaded onto the victim's computer, leaving it open for remote access. The infected machine then could be used as a zombie, or part of a botnet, to send out spam or launch denial-of-service attacks.

"It's not a widespread threat, but it's no picnic for the people being targeted," says Hubbard.

Paul Henry, VP of technologies with Secure Computing, says he's guessing that Microsoft found a problem within the patches themselves and decided to hold off for the month.

"I'm always concerned. Unpatched vulnerabilities out there create issues, and the bad guys take advantage to create havoc in our networks," Henry says. "I'd rather have something than nothing. It's a matter of how broken it is. If it introduces a lesser vulnerability, I'd go ahead with the patch. I'd rather have it be my choice."

In its advanced notification alert, Microsoft announced that it will release two high-priority, non-security updates through Windows Update and Software Update Services, and four high priority non-security updates through Microsoft Update and Windows Server Update Services.

Last month, Microsoft patched 12 vulnerabilities. Six of them were critical.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.