Digital Common Sense

December 29, TechWeb News — Microsoft promises to patch worsening zero−day flaw. As bleaker details emerged Thursday, December 29, about the threat posed by a zero−day vulnerability in Windows, Microsoft said it would produce a patch for the flaw but declined to put the fix on a timetable. In a security advisory posted on its Website, Microsoft confirmed the vulnerability and the associated release of exploit code that could compromise PCs, and listed the operating systems at risk. Windows 2000 SP4, Windows XP, Windows Server 2000, Windows 98, and Windows Millennium can be attacked using the newly−discovered vulnerability in WMF (Windows Metafile) image file parsing, said Microsoft. The advisory stated that Microsoft will “provide a security update through our monthly release process or providing an out−of−cycle security update, depending on customer needs.” Microsoft rarely goes out−of−cycle to patch a vulnerability −− it’s done so only three times since it began a once−a−month patch release schedule in October, 2003; the last time was over a year ago −− and didn’t patch early in December when another zero−day bug surfaced, even after experts called on the developer to fix fast.
Source

Filed by Ken at 12:19 pm under InfoSec, Technology