More testing and a
second advisory"> Maiffret said eEyes researchers were still testing different configuration scenarios to determine whether users of Windows Server 2003 are affected. A second advisory provides vague details on a similar issue, but Maiffret said it was not yet clear which platforms were affected.In one case, it took Microsoft six months to create and release a patch for a highly critical flaw reported by eEye. "Over the last two years, theyve gotten worse at releasing patches in a timely manner. When you take several months to release a patch for a very serious flaw, you leave your customers exposed. In Microsofts case, they have to do better," Maiffret added. Microsoft officials say the complicated nature of testing patches for quality assurance is the reason for the delay, but Maiffret said he believes the problem is due to Microsofts insistence at running code audits for every reported vulnerability. Click here to read more about the Microsoft Update service. "Whenever a vulnerability is privately reported, they do a code audit around the vulnerability to try to find other possible issues. Thats the real reason it takes so long to get a patch. No matter what, its unacceptable to take so long to fix something, especially when the risks are high," he added. According to security alert aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"Microsoft has verified that these vulnerabilities are real, and its fair to expect them to treat this with the highest priority," Maiffret said, adding that Redmonds engineers have historically been slow to react to major product flaws.