Monday, June 19, 2006

Excel 0-day

There is a new disclosed and not patched Excel vulnerability. Last week the monthly update package from Microsoft was published. It's not the first time that someone releases a vulnerability a few days after the patch cycle, apparently to cause more problems to MS. These situations make systems vulnerable for almost a month, or they force MS to release an out-of-schedule patch. It's a vulnerability in the monthly release program that simply can't be solved.

Usually MS monitors the noise caused by the disclosure to check if it needs to release an update out of the cycle. If the problem grows, it launches, if don't, it waits. I can't see much thing besides that to do. Perhaps the release of "beta updates" or "no warranty updates" before the cycle, for those more worried with the problem, can help to reduce the noise. It's just a little dangerous to open this possibility, as I, as a customer, wouldn't find it fair to install something "beta" to reduce risk that I'm not responsible for.