Encyclopedia Brown and the Case of the Missing Patch

Even though Microsoft unleashed a flood of patches yesterday, there was one biggie missing. Last month, Microsoft warned of a zero-day vulnerability in older versions of Excel (pre-Excel 2007). Microsoft rarely issues alerts in between monthly patches, so when it issues one, there’s a good reason for it. The company did say that the vulnerability was being used in targeted attacks but, as always, was not specific. You don’t want to give away specifics involving an exploit/vulnerability because then other people might use it as well, after all.

So why wasn’t there a fix among yesterday’s haul, which featured three Office-related fixes? Microsoft declined to get specific when asked, simply me the standard we-have-to-test-it-carefully answer in response to any query on a patch.

Don Leatham, director of solutions and strategy for Lumension
(formerly PatchLink) also wondered what happened, but said Microsoft only had a
few weeks to write and thoroughly test a patch, which is simply not enough
time. “It may seem like a month but they gotta write the fix, test it
against all platforms, and when you add on all the patches released yesterday, I
think we had some busy people over at Microsoft over the last few weeks,”
he said.

Plus, there hasn’t been a huge number of reports that this exploit is being
propagated by a botnet. These days, Storm is rearing its ugly head again,
sending out countless Valentine’s Day spam message. I must get a half dozen a

Leatham said the Internet Explorer fixes in yesterday’s
patches were farm more serious. “I’m glad that was in the release. HTML
rendering is the core of what IE does and it was remote code execution over IE 6
and 7, so it was a necessary fix.”

News Around the Web