Security researchers have been reporting newly found vulnerabilities on the same day Microsoft releases its monthly slate of patches, in an apparent effort to gain more notice.

Exploits of just-patched vulnerabilities have been cropping up on sites like SecurityFocus and Secunia on the same days Microsoft releases patches for those flaws. That was the observation of McAfee researcher Karthik Raman, who posted about this on McAfee's Avert blog.

Raman noted this vulnerability in Microsoft's Windows 2000 products' Active Directory appeared on November 14th. That was the most recent release of patches from Microsoft to its customers.

"I've called attention before to what may be a trend for vulnerability disclosure," said Raman. "Security researchers might be releasing Microsoft vulnerabilities on or just after a Patch Tuesday to maximize the vulnerabilities' window of exposure. The November 14 Windows Active Directory vulnerability is yet another curve-fitter in this trend!"

The Active Directory issue has been rated Less Critical by Secunia. It could be exploited from a local network to create a DoS condition on a targeted system. The problem has yet to be patched.


News of another Less Critical flaw, this time a cross site scripting issue, came out as October's patches were being released on the 10th of that month. Microsoft's patches for that day corrected the issue among others, but the company was slow to get those patches distributed to the millions of machines waiting for them.

It has been a trend, as Raman and others have observed, to crank out an exploit just as patches become available to correct known flaws. But with some third parties disclosing brand new exploitable issues on the day Microsoft releases its fixes, the company could be in for another embarrassing episode like the spread of the Sasser worm.

Microsoft does the once-a-month updates as a convenience to the thousands of system administrators who have responsibility for ensuring patches get placed on the machines they supervise. That cycle may have to be shortened, especially if the release of the Vista operating system proves just as vulnerable to issues as previous versions have.

The company has claimed, through outgoing executive Jim Allchin and others, that Vista will be the safest operating system Microsoft has delivered in its history. After January 2007, when Vista hits the home market, that will be put to the test.

About the Author: David Utter is a business and technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.