Windows bugs never really die

23.04.2009
Hackers can successfully attack Windows PCs months -- even years -- after Microsoft Corp. fixes a flaw, a security expert said Thursday, because there's always a pool of unpatched systems.

According to data that Qualys Inc. culled from scans of more than 80 million machines, between 5% and 20% of all systems are never patched for any vulnerabilities, including those disclosed by Microsoft in its monthly security updates.

Qualys, a provider of on-demand IT security systems, tracked four vulnerability bulletins issued by Microsoft in 2008 and in each case found that a sizable fraction of the PCs it scanned had not been patched, even though in some cases more than a year had passed since Microsoft issued fixes.

The four updates, all labeled "critical" by Microsoft when they were released, included the following:

* MS01-001, a two-patch update in January 2008 that plugged holes in .

* , a single February 2008 patch for Windows' WebDAV Mini-Redirector, which defines how basic file functions such as Copy, Move, Delete and Create are performed using HTTP.