Wader2 says
the patch was released 3 months ago!
I hate to defend the UK MoD ICT folks on this, but "to patch or not to patch" is actually quite a hard call to make.
- Do you just apply patches as soon as Microsoft, and Adobe, and Sun (for Java), and ... release them, and expect that they will fix the advertised problem, and hope like heck they won't break anything in your highly individualized cr@p-pile of software including stuff so ancient and British that nobody in the good ole Yew Ess of Ay has ever heard of it,
or
- Do you carefully test all the patches to make sure they don't accidentally break anything else, and run the risk of a vulnerability being exploited while you're testing the patch.
Damned if you do, and damned if you don't.
The only way to avoid this kind of nasty is to not allow any desktop Internet access, block all the USB port usage, fit CD drives only to 'special' machines, and filter the email all to hell. Then the users bitch the system is unusable for all the things they want to do.
Which do you want: usability
or security?