No Patch For Excel Zero-Day Flaw

CWmike writes "Microsoft said today that it will deliver three security updates on Tuesday, one of them marked 'critical,' but will not fix an Excel flaw that attackers are now exploiting. 'It doesn't look like we're going to see patches for any open Microsoft security advisories,' said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. 'I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline,' said Storms, 'but the others have been open for a long time.'"

The problem with excel: being mission critical

[Slumdog]

OK, you may disagree, but I've worked at banks and found that Excel use is widespread in mission critical applications, research, trading, and what not. Its like the swiss army knife for non-programmers engaged in decision making. They don't care about security issues (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

The philosophy for these situations is, 'if its not broken, don't fix it'. As long as Excel remains usable for corporate clients, upgrades and bug fixes will trickle is a slow rate.

Re:The problem with excel: being mission critical

[morgan_greywolf]

Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

Re:But let's not forget...

[Gnavpot]

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

I assume you were funny, but in case you were not:

Microsoft counts from the day they publicly confirm the existence of a bug.

Most others counts from the day the bug was publicly known.

So if Microsoft delay the confirmation of a publicly known bug, the numbers will work in their favour.