Originally posted here by Simple Simon
these dates...

If MicroSoft have known about it for so long, and given the vulnerabilities danger ranking (assigned by MicroSoft), why isn't the patch in SP2? May be I've missed something here?

This bug is obviously involved with some code that is pretty tightly woven into the OS.. Just look at how wide spread the problem is to see how common this code is. I'm sure most of the time spent on this bug was fixing the extensive coding issue that they obviously have. Eeye is a damn good vulnerability finder, so I'm sure it didn't take more than a couple of days for MS to verify what Eeye gave them. It really isn't easy to update code on that many different products. A lot of compatibility testing is involved. Because you know if they released a patch that crashed the server they would be crucified for it.