By Joris Evers
Wednesday, December 06 2006 09:29 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,61972647,00.htm

eEye Digital Security on Tuesday launched a Web site that tracks publicly released security bugs that don't have an official patch, or tracks zero-day vulnerabilities.

The new eEye Zero-Day Tracker Web site on Tuesday listed seven zero-day vulnerabilities, six of which affect Microsoft software and one related to Adobe Systems' Acrobat. For each of the problems, eEye suggests steps people can take to protect against exploitation of the flaws.

"More zero-day security vulnerabilities and attacks are being discovered every day," Marc Maiffret, eEye's chief technology officer, said in a statement. "We've been overwhelmed by requests from our customers to give them the information and time they need to protect their networks."

Security monitoring companies Secunia and the French Security Incident Response Team, or FrSIRT, also track unpatched flaws. However, these companies don't offer a simple overview of all zero-days. Secunia, for example, lists them by product.

There has been an apparent increase this year in the use of new, yet-to-be-patched flaws in targeted cyberattacks. Cybercrooks have found that they could take advantage of Microsoft's monthly patch cycle by timing new attacks right after the software maker released its fixes.

Microsoft's patch day is on the second Tuesday of each month and the company doesn't break its cycle unless an attack has a widespread impact. As a result, security experts have coined the term "Zero-day Wednesdays".

Flaws in Office applications especially seem to be favored by the bad guys. Microsoft and security firms this year have repeatedly had to warn of new, small-scale attacks that exploited yet-to-be-plugged security holes in applications such as Word, PowerPoint and Excel.