Microsoft omitted a patch this Tuesday leaving Windows users open to MHTML vulnerabilities.
The firm’s Patch Tuesday neglected to include the patch for Exploit-CVE2011-0096, meaning that users will be forced to wait until next month to acquire full protection.
According to McAfee the most recent rlease from Microsoft was light in comparison to last month, with three security bulletins which addressed four vulnerabilities, one of which was rated critical, the other two important.
However the MHTML patch was not included in the latest batch, despite the fact that it could leave Internet Explorer browsers open to attack.
“This month’s Patch Tuesday does not address this Internet Explorer zero-day, which could allow hackers to take advantage of this vulnerability,” said Dave Marcus, director of security research and communications at McAfee Labs.
However despite the potential security risks Greg Day, Director of Security Strategy at McAfee told TechEye that there is not necessarily any imminent danger.
“We have not seen any attacks yet so this is a theoretical problem rather than a practical one,” Day said, “though this could change so it is important that Microsoft and ourselves keep an eye on it.”
“I expect that they are now attempting to better understand or make a fix which can be released at a later date.”
According to Day if the problem becomes critical it would be possible to put out an emergency fix.
However while there are often discussions that a monthly cycle patch is not adequate to deal with threats he believes that it would be unwise to move to a more frequent cycle.
“There is an ongoing review process over whether patches should be released more frequently, and if there are enough risks then I believe Microsoft would take a serious look at it.
“But we are not currently seeing that many attacks at present that would warrant it.”
One of the reasons for this, according to Day, is the large cost for firms to implement patches out of the monthly cycle.
“There is a business impact or pressure that will come from interim patching, basically it costs businesses a lot of money to apply an emergency fix across all their systems, so it is best avoided unless absolutely necessary.”
“There is also a problem that not enough time is then allocated to develop a fully functioning fix if the cycle is reduced to say two weeks, so at the moment a good balance is being struck.”
However Microsoft could maybe do with looking closer to home in order to prevent their customers becoming victims of hackery, with a recent update directing all users to a mispelt domain name fortunate not to incur activity from ‘typosquatters’ according to Sophos.