Microsoft's January Patch Missing Fixes For Five Flaws

The company's patch process seems slow to respond to known vulnerabilities.
Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

Microsoft on Tuesday published two Security Bulletins addressing three vulnerabilities, only one of which the company deems critical.

Affected software includes Microsoft Windows and Windows Server. This is the kind of lightweight patching that IT administrators would have liked to see last month, when holiday vacations beckoned. Instead, the company's December patch day established a new record with 17 separate Security Bulletins.

The critical vulnerability, MS11-002, addresses two flaws in Microsoft Data Access Components, which, if exploited, could allow remote code execution.

Perhaps more noteworthy than what was fixed this month is what was not: five ongoing vulnerabilities.

"Instead of talking about the number of bulletins being patched today, everyone’s mind is on the five vulnerabilities that are not being patched," said nCircle director of security operations Andrew Storms in an e-mailed statement.

Paul Henry, security and forensics analyst for Lumension, also warned in an e-mail that multiple Microsoft zero-day vulnerabilities remain unaddressed. He cited the Internet Explorer (versions 6 through 8) style sheet importing flaw (CVE-2010-3971) and the Windows graphics rendering engine flaw (CVE-2010-3970) as the two most worrisome. The other three do not have a CVE entry yet and are described by Microsoft on its Security Research and Defense blog.

Henry says that Microsoft is facing increasing pressure to respond more quickly to vulnerability disclosures following Google security researcher Michael Zalewski's recent release of an update to his security tool, cross_fuzz, which has helped identify holes in Internet Explorer.

Google has been pushing for more openness and faster responses to vulnerabilities. Microsoft has suggested that Google's approach amplifies risk and continues to back its interpretation of "responsible disclosure."