04:50 PM
Connect Directly
Repost This

Microsoft Skips Patch Release, Leaves Nine Outstanding Bugs

For the first time since September 2005, Microsoft skips a monthly Patch Tuesday release.

With nine outstanding software bugs, Microsoft announced on Thursday afternoon that it won't be releasing any patches this month.

It's the first time the company hasn't gone through with its monthly Patch Tuesday release since September 2005. The security update was scheduled to be released Tuesday, March 13.

"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges," said a Microsoft spokesman in an e-mailed response to InformationWeek. "Microsoft continues to investigate potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively and comprehensively fix vulnerabilities is an extensive process involving a series of sequential steps. All updates need to meet testing standards in order to be released. This ensures that our customers can confidently install these updates in their environment."

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, says he's surprised that Microsoft won't release any patches this month since there are nine known vulnerabilities affecting Microsoft Office and Explorer.

"It's kind of funny with all the outstanding bugs today, and they have nothing to offer," he says. "I would expect some help to come."

Ullrich says the most critical known bug is in Microsoft Word 2000 and Word XP. The bug, which is being exploited, allows hackers to remotely control infected machines. Ullrich notes that the vulnerability has been publicly known since Feb. 9. "I would have expected it to be fixed this month," he adds.

Dan Hubbard, VP of security research at Websense, agrees with Ullrich that the Word vulnerability, which is a buffer overflow problem, is the most serious of all the outstanding Microsoft bugs. He says they've seen the bug being exploited in small, isolated cases. As serious as the flaw is, security experts say it hasn't been a widespread problem. Last month, InformationWeek reported that hackers used the then-unknown vulnerability to launch an attack against two employees at the same company.

With this vulnerability, a user has to open a malicious Office file attachment, such as a Word document, in an e-mail. If the file is opened, a Trojan or bot is downloaded onto the victim's computer, leaving it open for remote access. The infected machine then could be used as a zombie, or part of a botnet, to send out spam or launch denial-of-service attacks.

"It's not a widespread threat, but it's no picnic for the people being targeted," says Hubbard.

Paul Henry, VP of technologies with Secure Computing, says he's guessing that Microsoft found a problem within the patches themselves and decided to hold off for the month.

"I'm always concerned. Unpatched vulnerabilities out there create issues, and the bad guys take advantage to create havoc in our networks," Henry says. "I'd rather have something than nothing. It's a matter of how broken it is. If it introduces a lesser vulnerability, I'd go ahead with the patch. I'd rather have it be my choice."

In its advanced notification alert, Microsoft announced that it will release two high-priority, non-security updates through Windows Update and Software Update Services, and four high priority non-security updates through Microsoft Update and Windows Server Update Services.

Last month, Microsoft patched 12 vulnerabilities. Six of them were critical.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
Protecting Critical Infrastructure: A New Approach NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.