Microsoft - further critical vulnerabilities on the to do list
The Zero Day Initiative, set up by vendors 3Com and TippingPoint, maintains a very impressive, for some perhaps also worrying, list of upcoming advisories on its website. ZDI sticks strictly to the rules of responsible disclosure and only publishes details of vulnerabilities once an update to fix the vulnerability is available.
No updates are yet available for 55 vulnerabilities, of which the vendors were in most cases informed more than two months ago. 49 of these vulnerabilities have been classified by ZDI as critical - vulnerabilities rated as critical generally allow code to be injected onto and started on a system. Microsoft alone is represented on the list 11 times with 9 critical vulnerabilities - one of which the Redmond company was informed about 201 days ago.
Security services provider eEye has also published a list of upcoming advisories on its website. However, this list includes only five vulnerabilities, of which four are in Microsoft products. The vulnerability in Publisher 2007 is a reminder that there is still an outstanding vulnerability in Word, which has remained unpatched for several weeks following the cancellation of the March patch day. It will be interesting to see whether Microsoft implements a regular April patch day in addition to the unscheduled patch day taking place this evening.
- Upcoming ZDI Advisories, overview of forthcoming advisories from ZDI
- Upcoming Advisories, overview of forthcoming advisories from eEye