Microsoft Offers Patch Day Reprieve

A month after releasing 12 patches to fix 17 security vulnerabilities, Redmond says there won't be any bulletins coming next Tuesday.

Microsoft is giving security administrators a day off next Tuesday.

One month after releasing a whopping dozen bulletins to cover 17 security flaws in a range of products, Microsoft Corp. announced that there would be no new advisories this month.

While IT administrators will get a reprieve from patching, a company spokesman said it is likely that an updated version of Microsofts malicious software removal tool will be rolled out for Windows users.

Last month, Microsoft originally planned to release 13 advisories, but one was withheld at the last minute because it required more testing before it could be released. That bulletin addresses an "important" vulnerability in Windows.

In addition, there are several known vulnerabilities in Microsoft products that remain unpatched. Last November, San Jose, Calif.-based Finjan Software Inc. released an alert with information on 10 security holes in the Windows XP SP2 (Service Pack 2) operating system.

The company said those vulnerabilities could allow attackers to "silently and remotely" hijack SP2 machines because of "major flaws" that compromise end-user security, but Microsoft challenged those findings and accused Finjan of overblowing the severity of the issues.

Microsoft also has confirmed the existence of a bug in the Internet Explorer browser that opens the door to URL spoofing attacks.

The flaw, which has been widely reported on public mailing lists, can be exploited by a malicious attacker to spoof the URL of a pop-up advertisement. It has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.

According to statistics from independent security research outfit Secunia, more than 30 percent of known vulnerabilities in IE remain unpatched.


Check out eWEEK.coms for Microsoft and Windows news, views and analysis.