Microsoft Update Leaves Some Bugs Unpatched

Microsoft Corp. says its massive December security update didn't include patches for potentially critical vulnerabilities in Windows and Internet Explorer

Microsoft Corp. last week acknowledged that its massive December security update didn't include patches for potentially critical vulnerabilities in Windows and Internet Explorer.

The company last Tuesday released patches for 28 software flaws; it was Microsoft's biggest batch of fixes since it launched the regular monthly update schedule more than five years ago.

Later that day, Microsoft said that "limited and targeted" attacks were under way by hackers exploiting an unpatched flaw in the WordPad Text Converter tool bundled with Windows.

The company said that users must be tricked into opening the malicious files, which are likely to be delivered as e-mail attachments.

A day later, Microsoft acknowledged an unpatched vulnerability in IE 7 after code needed to maliciously use it was released -- mistakenly -- by Chinese security researchers. The flaw can infect computers running IE7 on Windows XP.

In a security advisory, Microsoft warned users about the IE flaw and listed countermeasures to take in lieu of a patch. It did not say whether it would patch the bug.

VeriSign Inc.'s iDefense Labs unit said that a blog post from the Chinese research team reported that the attack code at one time traded for $15,000 on underground markets.

The December updates include eight patches for bugs in Windows, Internet Explorer, Office, SharePoint, Windows Media, Visual Basic and Visual Studio. Microsoft ranked 23 of the 28 vulnerabilities fixed by the patches as critical, the top rating in its four-step scoring system.

Researchers agreed that the first patch IT managers should apply is one for the Windows Graphics Device Interface (GDI).

Andrew Storms, director of security operations at nCircle Network Security Inc., said hackers could exploit the GDI vulnerabilities by duping users into opening or viewing malicious Windows Metafile images.

Other GDI bugs have been patched in the past, and Storms said the continual patching of the graphics rendering engine will likely lead to questions about the efficacy of Microsoft's Security Development Lifecycle process, which looks for bugs as code is written.

"I think that's a fair question," said Wolfgang Kandek, chief technology officer at Qualys Inc. "But is it realistic to expect Microsoft to find everything? No, it's not."

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful cybersecurity companies