The company's patch process seems slow to respond to known vulnerabilities.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 11, 2011

2 Min Read

Top 10 Security Stories Of 2010

Top 10 Security Stories Of 2010

(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

Microsoft on Tuesday published two Security Bulletins addressing three vulnerabilities, only one of which the company deems critical.

Affected software includes Microsoft Windows and Windows Server. This is the kind of lightweight patching that IT administrators would have liked to see last month, when holiday vacations beckoned. Instead, the company's December patch day established a new record with 17 separate Security Bulletins.

The critical vulnerability, MS11-002, addresses two flaws in Microsoft Data Access Components, which, if exploited, could allow remote code execution.

Perhaps more noteworthy than what was fixed this month is what was not: five ongoing vulnerabilities.

"Instead of talking about the number of bulletins being patched today, everyone’s mind is on the five vulnerabilities that are not being patched," said nCircle director of security operations Andrew Storms in an e-mailed statement.

Paul Henry, security and forensics analyst for Lumension, also warned in an e-mail that multiple Microsoft zero-day vulnerabilities remain unaddressed. He cited the Internet Explorer (versions 6 through 8) style sheet importing flaw (CVE-2010-3971) and the Windows graphics rendering engine flaw (CVE-2010-3970) as the two most worrisome. The other three do not have a CVE entry yet and are described by Microsoft on its Security Research and Defense blog.

Henry says that Microsoft is facing increasing pressure to respond more quickly to vulnerability disclosures following Google security researcher Michael Zalewski's recent release of an update to his security tool, cross_fuzz, which has helped identify holes in Internet Explorer.

Google has been pushing for more openness and faster responses to vulnerabilities. Microsoft has suggested that Google's approach amplifies risk and continues to back its interpretation of "responsible disclosure."

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights