Thread-topic: FYI: Microsoft Says No Security Updates this Month; Fails To Patch Key Vulnerabilities (from SANS)
--Microsoft Says No Security Updates this Month; Fails To Patch Key
Vulnerabilities
(March 8, 2007)
According to an advance notice from Microsoft, there will be no security
updates released this month. There are at least nine known, unpatched
vulnerabilities in Microsoft products. Microsoft says it is
investigating vulnerabilities and will release fixes when it feels they
have been adequately tested. Microsoft normally releases security
bulletins on the second Tuesday of each month. The last month in which
Microsoft released no updates was January 2003. While there will be no
security bulletins on March 13, Microsoft plans to release an updated
version of its Windows Malicious Software Removal Tool as well as
several non-security, high-priority updates.
Internet Storm Center notes: http://isc.sans.org/diary.html?storyid=2379http://isc.sans.org/diary.html?storyid=1940http://blogs.zdnet.com/security/?p=117http://www.informationweek.com/shared/printableArticle.jhtml?articleID=1
97801353
http://www.computerworld.com/action/article.do?command=viewArticleBasic&
articleId=9012582&source=rss_topic17
http://www.microsoft.com/technet/security/bulletin/advance.mspx
[Guest Editor's Note (Swa Frantzen, Storm Center Handler): Note that for
five of the vulnerabilities, Microsoft already indicated that the
company will *not* produce a patch (not just this month). At best they
will get fixed in a service pack, but that is not guaranteed. The worst
of the vulnerabilities is, without a doubt, in CVE-2007-0870, as even
Microsoft admits, it allows remote code execution and is being used in
targeted attacks. Known since Feb 9th, we at the Internet Storm Center
were hoping at least this one would get patched. For some reason
Microsoft appears to be saying that a vulnerability being exploited in
targeted attacks is less urgent for them to fix it. Targeted attacks are
- -for those being attacked- the hardest to defend against because AV
software doesn't get samples unless the attacked organization(s) find
the malware by other means first and then give the AV industry some
samples to work from. Hopefully sensitive data handling facilities
filter office attachments by now by default.
(Liston): Note: They were GOING to release patches, they just
couldn't figure out how to get Vista to let them do it... ]