The backlog of unpatched security vulnerabilities in enterprise products is growing. NGSSoftware, the firm that first identified the underlying security flaw exploited by the infamous Slammer worm, is sitting on a backlog of 175 unresolved vulns.

The security consultancy is working with the UK's National Infrastructure Security Co-ordination Centre (NISCC) to help produce early warning notices about pending IT security problems to organisations responsible for critical services.

The unfixed vulnerabilities are in software products from Oracle, IBM, HP, Microsoft, Openbase, Real, Sybase, Ingres, Veritas, Computer Associates and Sun. NGS's database contains 175 vulns still waiting to be patched by vendors. "We add more on a weekly basis," Dave Litchfield of NGS told El Reg.

To help firms guard against attack, NGS is publishing good practice guides on topics such as securing web applications and a series of white papers through NISCC. Upcoming NGS white papers will cover countermeasures against BIOS rootkits and hacking smart cards.

An archive of security advisories NGS has been involved in developing can be found here. ®

Related stories

• One in five apps are insecure (21 December 2007)
• Zero-day bug hangs over Oracle database (9 November 2007)
• SAP upgrades foil buffer overflow flaws (9 July 2007)
• Oracle blocks 51 security holes (17 January 2007)
• Bullseye of Oracle patches due Tuesday (12 January 2007)
• IE 'unsafe' for 284 days last year (5 January 2007)
• Month of Apple bugs planned for January (20 December 2006)
• Third unpatched vuln menaces Word (15 December 2006)
• Trojan targets unpatched Word flaw (again) (11 December 2006)
• eEye launches 0-day tracker site (7 December 2006)
• Unpatched bug bites Apple Mac OS X (22 November 2006)
• Oracle to provide clearer vulnerability ratings (13 October 2006)
• Another day, another zero-day MS exploit (28 September 2006)
• MS releases emergency IE fix (27 September 2006)
• MS mulls emergency IE fix (26 September 2006)
• Unofficial IE patch saves humanity (25 September 2006)
• Sybase squeezes more SAP into devices (25 September 2006)
• Smut sites use IE exploit to spread spyware (21 September 2006)
• Warnings grow over unpatched IE flaw (18 September 2006)
• Analysis Web vulns top security threat index (18 September 2006)
• Patch Tuesday omits critical Word fix (14 September 2006)
• Trojan targets 0-day Word vuln (5 September 2006)
• Flaw finders lay siege to Microsoft Office (22 July 2006)
• Oracle in war of words with security researcher (26 January 2006)
• UK.gov repels zero day WMF attack (24 January 2006)
• SANS compiles Top 20 security vulns list (22 November 2005)
• UK under cyber blitz (16 June 2005)
• Sybase invokes licence gag in flaw disclosure row (5 April 2005)
• Big guns back UK IT security drive (8 November 2004)
• Updated UK.gov deploys IT early warning system (3 August 2004)
• NGSSoftware unleashes Typhon III (18 August 2003)
• Slammer: Why security benefits from proof of concept code (6 February 2003)
• Oracle security claim to be debunked – expert (16 January 2002)