New Software Flaws Affect Nearly Every Windows User


SANS reports nearly 100 new flaws in commercial software this week; thousands more are found in custom software.

As of yesterday, the four most critical flaws affect Internet Explorer, Outlook Express, Microsoft Word, and Kodak Image Viewer, which Microsoft patches because it comes with Windows.

However, as SANS research director Alan Paller points out, there are many other Windows applications that Microsoft does not patch. Users don't find out about these flaws unless their machines get infected--or unless they check separately and periodically with each vendor. (Secunia's Software Inspector is a good tool for aggregating and tracking flaws in several widely used applications).

In a plug for SANS training, Paller says big buyers of software are starting to require their suppliers and outsourcers to prove they can develop secure code.

When data breaches are costing companies as much as $1 million--in legal fees, lost productivity, downed servers and so on--requirements like these are inevitable, although I'm not sure developers are the source of the problem. I think software vendors still don't have enough incentive to produce secure code.