While everyone’s screaming,”Patch! Patch! Patch!” a few are tracking a more insidious danger: known vulnerabilities for which no patches exist. Bad guys love ‘em. eEye times ‘em.

Amazingly, only three vendors made eEye’s list of unfixed security holes. Nothing on the list is trivial. Each leak could allow remote and/or aribitrary code execution.

Numero uno is, of course, Microsoft. Five high risk vulnerabilites have been dangling for two to five months. A remaining Microsoft issue is ranked by eEye as merely medium, and has waited just three months for a patch. Stricken products include Internet Explorer, Outlook, Windows 2000, Windows 2003, Windows NT 4.0, Windows XP, and additional miscellaneous titles. eEye won’t be more specific till Microsoft comes up with patches. Commendable and appreciated.

RealNetworks has a couple of vulnerabilities in RealPlayer that have languished for over 60 days.

Macromedia brings up the rear with a problem that has sat unrepaired for a couple of months. Depite this tardiness, eEye’s website continually tries to stuff Macromedia Flash Player 7 down your throat. Hmmm… eEye’s marketing sherpas oughta read the copy they’re posting. It really helps.

In related announcement… Microsoft still wants to be your security company. Heaven help us all.