[Paridel]

I'm sure as we speak there are IE and Windows exploits out there that MS knows about, and we don't.

I'm sure you are right... because applying software patches is a liability as well. There is always the possibility of things breaking when a patch is applied. Thus, if it is a minor vulnerability, one not likely to see a real world variant, it would be irresponsible for MS to announce it publicly.

Why? Because 1. the patch could cause downtime for costumer's. 2. some computers will not be patched, but announcing the vulnerability means that a real world example will surface.

The same thing happens with open-source programs. There a still plenty of people running out of date software with known vulnerabilities. I have seen people scan for and compromise old red hat system in a very short amount of time. I'm not blaming OSS developers for those shortcomings, it is clearly the fault of the individual with the unpatched box, but yes, it can and does happen.

In Microsoft's case when exploits are revealed they tend to go unpatched for months, sometimes a year, or until the next service pack is released.

Here you are way off base. MS releases lots of patches outside of service packs.

-paridel

[KoRn]

Here you are way off base. MS releases lots of patches outside of service packs."

Sure they do, except for one I remember reading about last year that Microsoft let go for months. The one where a user could click on a URL that could be set up to delete any file on the end user's computer the URL's creator wanted. That one was allowed to stay out there until a major service pack. Microsoft knew about it long before, and didn't fix it because it hadn't been discovered by Hackers.