5 March 2010, 12:17
Several known vulnerabilities to remain unpatched on forthcoming Microsoft patch day
Microsoft plans to release just two security updates to fix eight vulnerabilities in Windows and Office on its forthcoming patch day. The company classes both updates as "important", as the vulnerabilities in question cannot be exploited over a network and require a user to open a specially prepared file.
No patch is to be released for the vulnerability reported earlier this week in Internet Explorer under Windows 2000, XP and Server 2003, which involves help files and VBScript. Microsoft is continuing to monitor the situation and, as a protective measure, is advising users not to press the F1 key when browsing. The company reports that it has not registered any attacks to date. Windows 7, Vista and Server 2008 are not affected by the problem.
It appears the vulnerability that could be exploited when processing specific UNC paths in Internet Explorer, disclosed back in January, will not be patched. This also primarily affects pre-Vista systems, as post-Vista Internet Explorer 7 and 8 run in protected mode, which prevents exploitation of the vulnerability.
There is still no solution for a bug in Internet Explorer 8's cross-site scripting protection. A DoS vulnerability in the Windows 7 and Windows Server 2008 R2 SMB client, disclosed back in November, and a vulnerability in Internet Information Server (IIS) 6.0 when parsing file names with semicolon extensions, both also remain unpatched. Some of these problems have been in the queue for quite a while. At a panel discussion at the RSA conference yesterday, Tom Stanley, Chief Information Security Officer at Continental Airlines, complained that too many vulnerabilities are remaining unpatched. Stanley added that he is not interested in how many vulnerabilities a vendor is working on at once or in the number of test queues arising as a result. He said that companies not prepared to put the necessary resources into solving problems rapidly should find themselves another field of business.
Microsoft again takes the opportunity to remind users that support for several versions of Windows will expire this year. There will be no further updates for Windows 2000 after 13th July 2010. Support for Windows XP Service Pack 2 will cease on the same date – users are advised to update to SP3. Support for Windows Vista RTM will end on 13th April 2010, for Vista SP1 on 12th July 2011.