Some of the biggest names in the IT software business still are very lax when it comes to fixing security holes reported by third-party brokers.
According to a list maintained by TippingPoint’s Zero Day Initiative, Microsoft, Novell, Oracle, Computer Associates and Hewlett-Packard are among the vendors most tardy about shipping fixes for known flaws that could be used in code execution attacks.
Microsoft, for example, has nine “high risk” vulnerabilities on the list. Three of the nine Microsoft product flaws were reported more than 404 days ago.
One of the “high risk” bugs (see screenshot) was reported to Microsoft 600 days ago.
The most tardy vendor on this list — Computer Associates — has received flaw warnings from TippingPoint more than 602 days ago.
The list only covers vulnerabilities that TippingPoint purchased from third-party vendors. The company keeps a tight lid on details of the flaws until affected vendors release patches. TippingPoint also provides IPS (intrusion prevention systems) filters to its customers to provide a layer of protection from these vulnerabilities.
With the exception of one “medium-risk” bug affecting RealNetworks (reported 186 days ago), all the flaws on the TippingPoing upcoming advisories list are “high risk,” meaning they could be used in code execution/malware installation attacks.
A separate list of pending advisories from TippingPoint’s internal Digital Vaccine Labs research group contains unpatched bugs affecting Microsoft and Hewlett-Packard.