No Windows patches and the peril of no Windows patches
Last week it became public that a Kernel GDI privilege escalation bug in Windows, found during the Month of Kernel Bugs effort, had spawned a successful exploit and that exploit is public (though in "controlled" distribution through security company Immunity's partner program). Why is this interesting? Two reasons. First, Microsoft has known about this bug for over 2 years and has yet to issue a patch for it. The US Federal Government organization that tracks bugs has given it a "high" rating. Second, for the month of February, Microsoft has not published any security fixes. I guess this vulnerability and exploit aren't bad enough to make Microsoft's list.
Just goes to show, keeping up-to-date on your security fixes from the vendors of your software isn't enough. Don't get me wrong, it's very important, but it still remains one arrow in your security quiver.
-AllenN
