For the second time this year Microsoft has failed to release a patch for a vulnerability that has public exploits already made available. This time the flaw is browser related. Exploits are already floating around out there, but Microsoft is still “testing” their patch and the last I saw not planning on releasing before April’s Black Tuesday. And this time there are two unofficial patches that beat Microsoft to the punch. One from eEye and one from Determina.
I know Microsoft says that big corporations only want patches released once a month, but I think that methodology fails to work anymore. People are still releasing their working exploit code into the wild before Microsoft will release their patches. I say Microsoft should release their patches as soon as they have been sufficiently tested. Companies can easily decide to only patch once a month if that is how often they are afforded scheduled downtime, that is their decision to make. Other, faster moving companies, would rather protect their users as soon as a patch is available. Especially when exploit code is already circulating about the Internet.