What's the story with these security holes?

What's the story with these security holes?

Summary: There are 28 vulnerabilities in the ZDI pipeline, all high-severity, affecting some of the world's biggest IT vendors -- Computer Associates, Microsoft, Hewlett Packard, Novell, Oracle, IBM, Symantec, Sun Microsystems, Veritas and Borland.

SHARE:
Ever so often, I make it a point to glance at the upcoming advisories from TippingPoint's Zero Day Initiative and wonder about the status of these "high risk" issues that are more than 300 days old.

WhatÂ’s the story with these security holes?

According to ZDI, the vendors associated with these pending zero-day vulnerabilities have all been notified and are (supposedly) working on patches. In all, there are 28 in the ZDI pipeline, all high-severity, affecting some of the world's biggest IT vendors -- Computer Associates, Microsoft, Hewlett Packard, Novell, Oracle, IBM, Symantec, Sun Microsystems, Veritas and Borland. Microsoft appears on the list six times.  Five of the Microsoft bugs were reported more than 200 days ago while the sixth was reported 452 days ago.

Topics: Microsoft, Hardware, Security, Storage

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • This is inconceivable.

    I noticed that Apple was not on the list.The list is wrong.How can Microsoft have 6
    unpatched flaws and Apple have none?
    The_Nutty_Zealot
    • Give it up

      the real non-NonZealot is bad enough, poor imitations are really not necessary, all
      you do is give him more attention than he deserves.
      MarcB_z
    • Stop being a moron

      And learn what a Zero day vulnerability is.
      Kaiwai
      • Read first before inserting mouth.

        Understand what ZDI is before you comment.
        It benefits everyone and is not there to slam anyone.
        As for Apple and ZDI.....

        2007.11.05 - ZDI-07-068: Apple QuickTime Uncompressedfile Opcode Stack Overflow
        2007.11.05 - ZDI-07-067: Apple QuickTime PICT File Poly Opcodes Heap Corruption
        2007.11.05 - ZDI-07-066: Apple Quicktime PICT File PackBitsRgn Parsing Heap Corruption
        2007.11.05 - ZDI-07-065: Apple QuickTime Color Table RGB Parsing Heap Corruption

        Case closed.
        top100developers
  • MS drags feet after new release

    They started doing the same thing in the transition from 2000 to XP. Dragging their feet on the 2K security updates. Whether these zero days are Windows flaws or not, they'll likely follow the same strategy.

    MS is now admitting XP is a leaky security ship.

    http://blogs.cnet.com/8301-13505_1-9831567-16.html?part=rss&tag=feed&subj=TheOpenRoad

    But it's all better now because you can move to Vista. Just like back in the Win 2K days. It was all better because you could move to XP.

    Rinse, lather, repeat.
    Chad_z
    • Hye I really....

      like the shampoo analogy! Do you recommend a particular brand? What about conditioner? Maybe Uncle Billy has some suggestions?

      yukyukyukyukyuk!
      fredfarkwater@...
  • RE: What's the story with these security holes?

    If they wait long enough, the "vulnerable" product will exceed it's Product Development Lifecycle, and it will no longer be an issue.
    roseman
  • RE: What's the story with these security holes?

    I wish somebody talking about zero-day attacks would clearly explain what they are. Also, this article isn't very clear on its main point: is it that these vulnerabilities have not been patched?
    w_c_mead
    • The vunerabilities on the list

      are current and active issues for which there is no patch, yet. The problem with some of the security holes is they are basic design flaws that require major redesign and re-coding of basic system services to plug. In the case of Microsoft these problems won't be fixed as it would require too much work and would eat into the margins of the existing products. And they most likely won't be repaired in upcoming version for the same reason. It would cut into the profit margin on the product. Easier to copy the old flawed code and slap a new interface on it and call it a new OS than to fix problems on this level.
      maldain
  • "You keep using that word.

    I do not think it means what you think it means...."
    DigitalFrog
    • this was meant for Nonezealot

      .
      DigitalFrog