In April of 2008 Microsoft issued what seemed to be a rather serious security advisory: Vulnerability in Windows Could Allow Elevation of Privilege (951306).

Microsoft never provides gory details of vulnerabilities even after they've been patched, but by following the CVE entry from it you can get links to sites like IBM's ISS that are willing to say more, or even to get proof-of-concept exploit code from SecurityFocus. The vulnerability allows authenticated attackers potentially to elevate privileges to LocalSystem.

Here we are, six months later, and Microsoft still has not patched this vulnerability. What's up with that? "Dustin" from the Microsoft Security Response Center recently addressed the question in a blog on TechNet, following an update to the advisory to note the availability of the proof-of-concept code.

It's worth noting that this vulnerability isn't really near the top of the scare list. Most of those third parties you see linked to on the CVE page rank it down a few notches. Even the usually hyperbolic Secunia calls it "Less Critical" (two out of five, one step up from "Not Critical"). Furthermore, back in April Microsoft provided workarounds that it says are effective against the proof of concept, at the cost of some administrative burden. Microsoft also said it is unaware of any real-world attacks on this vector. You can find more details from Microsoft on the bug in Nazim's IIS Security Blog and the Security Vulnerability Research & Defense blog.

Still, six months! What Dustin said was, "[W]e began our investigation and immediately realized it would not be trivial to address this issue without introducing new risks." They're still testing and developing a fix. Six months later. It would seem that the obvious fixes all cause some serious problem, perhaps breaking third-party code.

Is this inherently unreasonable? It's getting there. The list of affected software includes most of the important versions of Windows. It may be that some of the time this has taken has gone to working with my speculative third parties to update their software, so that the fix won't have the same impact.

But let's not forget that this is not an easily exploitable bug. It's not wormable in any way and in order for it to be invoked other serious breaches of security have to have happened. So I guess it's worth it for Microsoft to take its time doing things right.