While security patches come out each month, there’s a backlog of unpatched problems.
Microsoft might be more aggressive about security problems but there are still things in the ‘too hard’ basket. The list of ‘Unpatched Microsoft Vulnerabilities’ from the French Security Incident Response Team makes sobering reading.
According to that list there are known security problems in Office going back more than a year.
There’s a Powerpoint security hole from July 2006 that can be used to infiltrate computers (a ‘proof of concept’ has been published showing how to exploit the security gap).
Worse still is Word document problem (Office 2000 and Office XP) that could occur when opening any Word document. Microsoft has known about this since Feb 2007 when described a ‘new public’ report. There’s been no public action or statement in the last two months and more.
The only recommendation is the usual suggestion to not open files from both known and unknown sources (which means _all_ files you receive), which isn’t very practical. Imagine a car manufacturer saying that a workaround for a fault in their vehicle is not to drive it on either sealed or unsealed roads.
Microsoft is always going to be torn between the impulse to downplay problems and acknowledging/fixing security problems. It remains for outside agencies to keep a close eye on what is fixed and what isn’t.
