Microsoft has failed to release security patches for a number of no less than 11 zero-day vulnerabilities. The eEye Research Team's Zero-Day Tracker has calculated the amount of time Microsoft customers have been exposed to each unpatched vulnerability. The zero-day Microsoft vulnerabilities that are still opened to attacks have exposed users for a total of 1,076 days.

Office-related vulnerabilities have taken the lion's share of the eEye's list of Microsoft zero-days. No less than seven of the 11 vulnerabilities affect products of the Office suite. The fact that the Redmond Company has let five Office vulnerabilities slide since December 2006, without a security patch, contributes drastically to the volume of active Microsoft zero-days.

Microsoft has scheduled the release of its monthly security bulletins for tomorrow, February 13, 2007. The Redmond Company plans to make available 12 security updates for a range of its products from Windows to Office and to its security solutions. Microsoft is thought to release tomorrow at least part of the four patches discontinued from the initial January 2007 line-up.

According to eEye Research, only one of the 11 Microsoft zero-day vulnerabilities has received a severity ranking of Critical. In this context, the Redmond Company has a defense for not rushing to patch vulnerabilities across its products. While the freshest vulnerability indexed by eEye is the February vulnerability for Office, the oldest is impacting Windows 2000 SP4.

Tomorrow, Microsoft will also release 10 non-security high priority updates, in addition to the 12 security bulletins already announced.