EEye: More Microsoft bugs on the way

The company that informed Microsoft about the most recent high-profile security vulnerability has said it is waiting on fixes for several more critical flaws

EEye, the company that originally discovered a critical Windows bug patched by Microsoft on Tuesday, says it is waiting on fixes for seven more Microsoft bugs -- three of them meriting a "high" severity rating.

Microsoft released a patch for Windows on Tuesday that fixed one of the most severe security holes ever found in the operating system. Microsoft said it took more than six months to fix the problem and to make sure the patch was thoroughly tested. During this time, the vulnerabilities could have been exploited by another MSBlast-type attack, allowing a virus to rapidly infect a large number of Internet-connected computers, according to security experts.

EEye now says it has reported another seven as-yet-unpatched bugs to Microsoft, some as long as five months ago. The company is listing the report dates and seriousness of the bugs on its Web site, but will reveal no further information until Microsoft has released fixes.

Two of eEye's most dangerous flaws were reported to Microsoft on 10 September, 2003, while the third was brought to the company's attention a month later. According to eEye's Web site, the fixes are overdue by 94 and 66 days respectively.

EEye is one of many security research organisations reporting vulnerabilities to Microsoft, but is one of the few which allows the public to monitor the progress of its bug reports. Some researchers have been known to release public warnings about specific flaws if they judge a software vendor is taking too long to patch, a practice which vendors have heavily criticised.

According to eEye's Web site, full details of each vulnerability "will be disclosed to the public at the time a patch is released from the vendor".