Third-party patching, a hot topic in recent months given the
increased prevalence of
zero-day flaws, was among the issues
dissected at the recent Black Hat USA 2006 conference in Las
Vegas.
In one presentation, Alexander Sotirov, a reverse engineer on
the security research team at Redwood City, Calif.-based
vulnerability protection firm Determina Inc., said third-party
patching provides another security option for IT shops that need to
block exploits before an official patch is developed, and that
those patches are easy to uninstall after an official patch is
released.
Sotirov did acknowledge that there are some disadvantages to
third-party patching: There's limited support for multiple
operating system versions and languages, and some vulnerabilities
require extensive changes or redesign of the affected application
and simply can't be hotpatched.
While some organisations might not hesitate to use a third-party
fix if a threat is dire enough, IT professionals interviewed by
SearchSecurity.com after Black Hat said they would never deploy one
in their own environments.
"Third-party patching is potentially another area of
vulnerability in my opinion," said Jessica Lynne Verzi, information
security manager for ESL Federal Credit Union, a financial
institution with 550 employees, 17 branches and numerous ATM
locations in the Rochester, N.Y.-area. "It's very reactive and very
dangerous to install one."
Third-party patches were released for two different Microsoft
threats earlier this year.
In January, Russian programmer Ilfak Guilfanov
made a patch available to address the
widely-exploited Windows Meta File glitch
Microsoft ultimately patched.
In March, Determina and Aliso Viejo, Calif.-based eEye Digital
Security Inc. released
third-party patches for the createTextRange
flaw involving Internet Explorer, which Microsoft patched in
its
April security bulletins.
In both cases, reaction was mixed in the information security
community. With WMF and, to a lesser extent, createTextRange being
widely exploited, some argued a third-party fix was better than
nothing. Others warned that patches can never be fully trusted
unless they come straight from the vendor of the affected
product.
Verzi didn't lose any sleep over those threats because she said
ESL Federal Credit Union utilises a variety of security measures
that would make it very difficult for attackers to successfully
target an organisation using those flaws.
Verzi said enterprises that practice so-called defence in-depth
have the necessary security in place to mitigate threats that
exploit zero-day flaws and can therefore afford to wait for the
official patch.
Craig Hunter, IT manager for the City of North Vancouver, said
organisations that have such a security program can afford to wait
a few weeks for an official patch.
"Third-party patching is more trouble than it's worth," he said,
agreeing with Verzi that it can potentially introduce more
vulnerabilities to the network. "Using a mitigation strategy like
blocking certain ports or shutting certain programs is the better
solution. The user may have to go without a feature for a week, but
it's better than taking a risk with a third-party fix that you then
have to go and uninstall before installing the real patch."
Keith Gosselin, IT officer for Biddeford Savings Bank in
Biddeford, Maine, is also concerned about how his applications
would work if he ever tried to install a third-party patch.
"Applications are so finicky, I'd be worried about an
application exploding in my face," said Gosselin, whose company has
70 employees and three bank branches, with a fourth opening in
September.
Like the others, Gosselin preaches the virtues of a well-rounded
defence, and said he makes a point of educating employees on the
potential consequences of their computing habits.
"I do spend a lot of time keeping track of zero-day threats so
I'm aware of out-of-cycle fixes," he said. "I want to know when
there's an exploit so I can email users and warn them to be
careful."
For example, during the recent
PowerPoint threat, he sent out an email
warning employees not to open PowerPoint attachments unless they
are expecting one from a trusted source.
He supplements urgent warnings with routine emails about every
other month that ask people to be careful when opening attachments.
"If you get a file from someone you know that you weren't
expecting, I tell them to call that person before opening the
attachment," he said.
With these practices in place, he said, there's never a need to
use a third-party patch.
To those who argue that patches can't be trusted unless they
come from the vendor of the affected program, Determina's Sotirov
told his Black Hat audience, "Most software vendors have a long
record of shipping vulnerable software. If we trust them, there is
no reason not to trust a third-party patch from a well-known
security expert or a security company."
Furthermore, he said, "Third-party patches are ideal for
situations where the risk of a system compromise outweighs the risk
of interoperability issues."