The list of unpatched security vulnerabilities in products embedded in the Microsoft Windows operating system just got longer.
Researchers at eEye Digital Security have flagged another high-severity flaw affecting users of two widely used Microsoft Corp. products—the Internet Explorer browser and the Windows Media Player application.
The company released an advisory with basic details of the flaw, which is described as a “code execution” bug in default installations of IE and WMP.
eEye reported the issue to the MSRC (Microsoft Security Response Center) on Oct. 17 and confirmed that an exploit would affect users of Windows NT, Windows 2000 (all versions), Windows XP (Service Pack 2 included) and Windows Server 2003.
Mike Puterbaugh, senior director of product marketing at eEye, said the bug was rated critical because of the risk of remote code execution attacks.
However, he noted that the flaw is not wormable, a hint that some user action would be required for an exploit to be successful.
“Any time youre talking about an application that attempts to connect to the Internet by default, a flaw in that application causes concern. For these two, thats definitely the case,” Puterbaugh said.
A spokesperson for Microsoft confirmed receipt of eEyes flaw warning.
“Since details of the vulnerability have not been made public, we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time,” she said.
The newest eEye discovery adds to the known list of potentially dangerous Windows holes that remain unpatched.
In all, eEyes “upcoming advisories” page lists seven unfixed flaws, all carrying a high-severity rating because of the remote code execution possibilities.
Two of the seven vulnerabilities are more than 100 days overdue and affect the dominant IE browser.
According to security alerts aggregator Secunia Inc., there have been 70 advisories posted for IE flaws since 2003. Almost 30 percent of those remain unpatched.
A vulnerability in the Microsoft Jet Database Engine that was reported to Microsoft more than five months ago is also on the list of unpatched bugs.
Virus writers are already exploiting the Jet DB hole with a mail-borne Trojan horse identified as “Backdoor.Hesive.”
The Trojan camouflages itself as a Microsoft Access file and targets users of Windows products that use the database engine.