List of Unpatched Windows Flaws Grows

eEye Digital Security flags another code-execution vulnerability in Microsoft's Internet Explorer and Windows Media Player products.

The list of unpatched security vulnerabilities in products embedded in the Microsoft Windows operating system just got longer.

Researchers at eEye Digital Security have flagged another high-severity flaw affecting users of two widely used Microsoft Corp. products—the Internet Explorer browser and the Windows Media Player application.

The company released an advisory with basic details of the flaw, which is described as a "code execution" bug in default installations of IE and WMP.

eEye reported the issue to the MSRC (Microsoft Security Response Center) on Oct. 17 and confirmed that an exploit would affect users of Windows NT, Windows 2000 (all versions), Windows XP (Service Pack 2 included) and Windows Server 2003.

/zimages/5/28571.gifClick here to read more about viruses and worms that target Windows.

Mike Puterbaugh, senior director of product marketing at eEye, said the bug was rated critical because of the risk of remote code execution attacks.

However, he noted that the flaw is not wormable, a hint that some user action would be required for an exploit to be successful.

"Any time youre talking about an application that attempts to connect to the Internet by default, a flaw in that application causes concern. For these two, thats definitely the case," Puterbaugh said.

A spokesperson for Microsoft confirmed receipt of eEyes flaw warning.

"Since details of the vulnerability have not been made public, we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time," she said.

The newest eEye discovery adds to the known list of potentially dangerous Windows holes that remain unpatched.

In all, eEyes "upcoming advisories" page lists seven unfixed flaws, all carrying a high-severity rating because of the remote code execution possibilities.

/zimages/5/28571.gifRead more here about a Trojan that targeted a security vulnerability in the Microsoft Jet Database Engine.

Two of the seven vulnerabilities are more than 100 days overdue and affect the dominant IE browser.

According to security alerts aggregator Secunia Inc., there have been 70 advisories posted for IE flaws since 2003. Almost 30 percent of those remain unpatched.

/zimages/5/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

A vulnerability in the Microsoft Jet Database Engine that was reported to Microsoft more than five months ago is also on the list of unpatched bugs.

Virus writers are already exploiting the Jet DB hole with a mail-borne Trojan horse identified as "Backdoor.Hesive."

The Trojan camouflages itself as a Microsoft Access file and targets users of Windows products that use the database engine.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.