'Worst ever Windows vulnerability' discoverer finds seven more holes

EEye, the company that originally discovered a critical Windows bug patched by Microsoft on Tuesday, says it is waiting on fixes for seven more Microsoft bugs - three of them meriting a "high" severity rating.

Microsoft released a patch for Windows on Tuesday that fixed one of the most severe security holes ever found in the operating system. Microsoft said it took more than six months to fix the problem and to make sure the patch was thoroughly tested. During this time, the vulnerabilities could have been exploited by another MSBlast-type attack, allowing a virus to rapidly infect a large number of internet-connected computers, according to security experts.

EEye now says it has reported another seven as-yet-unpatched bugs to Microsoft, some as long as five months ago. The company is listing the report dates and seriousness of the bugs on its website, but will reveal no further information until Microsoft has released fixes.

Two of eEye's most dangerous flaws were reported to Microsoft on 10 September 2003, while the third was brought to the company's attention a month later. According to eEye's website, the fixes are overdue by 94 and 66 days respectively.

EEye is one of many security research organisations reporting vulnerabilities to Microsoft, but is one of the few which allows the public to monitor the progress of its bug reports. Some researchers have been known to release public warnings about specific flaws if they judge a software vendor is taking too long to patch, a practice which vendors have heavily criticised.

According to eEye's website, full details of each vulnerability "will be disclosed to the public at the time a patch is released from the vendor".

Munir Kotadia writes for ZDNet UK