The blogosphere this week looks a lot like it did back in
January, when Russian programmer Ilfak Guilfanov
released his own fix for the Windows Meta File
(WMF) flaw. The flaw was attacked on a massive scale,
forcing Microsoft to
patch it early.
This time, the blogosphere is abuzz about an organisation called
the Zero-Day Emergency Response Team (ZERT) and its
emergency fix for the Internet Explorer
Vector Markup Language (VML) flaw. Like WMF, attackers have had
a field day with VML, and Microsoft
rushed out an early patch.
Patchlink also released a VML solution, but much of the
blogosphere focused on ZERT, with a majority of people uneasy about
the idea of using a patch that isn't from the supplier.
ZERT member Randy Abrams acknowledged third-party patching is
risky in
an interview with SearchSecurity.com this
week. But with zero-day threats on the rise, IT professionals
need extra tools to choose from so they can protect their
networks while waiting for Microsoft to act, he said.
But some bloggers weren't sure that third-party patches are a tool
worth having, including Ross Brown, CEO of eEye Digital Security,
which released its own fix for the
Internet Explorer (IE) createTextRange flaw
back in March.
"While it would be easy to assume… that eEye would be all over
releasing third-party patches as a commercial entity and while we
have gotten advice from an analyst that this would be a great
business … I don't think third-party patches are a great idea,"
Brown wrote in his
Technobabylon blog. "They are a necessary
evil that should be used sparingly."
He compared third-party patching to a virtual game of
Jenga,
where, over time, an unstable pile of code builds up in the system.
"Adding third-party code that changes the basic functionality of
the system isn't hard, but it is really hard to do well, especially
as time passes and the other parts of the 100 million lines of
Jenga code get moved around," he said. "Third-party patching is
like playing Jenga blindfolded at best."
When eEye released its third-party fix, Brown said the firm got
it right by following these design principles:
- Touch as few parts as possible to mitigate the flaw
- Be aware of the official patch and disappear once that patch
was installed
- Be aware of the version of Windows, including languages and
revisions, to patch correctly.
Another blogger, who only uses his first name, Michael, in his
MCW
Research blog, wrote that he didn't know enough about ZERT to
recommend the organisation's fix. But he liked that ZERT's action
shined a spotlight on the severity of the IE flaw.
"This does emphasise the severity of this vulnerability," he
wrote. "It's frustrating to me that with an application as widely
distributed and used as IE, Microsoft isn't quicker to the punch
with releasing patches. Patches are by design reactive security.
However, Microsoft is making them even more so by waiting until
there is a wide-scale impact before they'll rush a patch.
He said he's a huge proponent of a beta patch program where
Microsoft could release patches rapidly without having to perform
100% regression testing.
"In some cases I would most certainly weigh wide-scale
compromise as more important than wide-scale application problems
in my network," he said. "I want that choice and Microsoft is not
letting me have it. They are making that decision for me."
But in its blog, the Microsoft Security Response Center
noted that it got the patch out well ahead of its initial 10
October timetable. "Through some really top notch effort by all our
testing teams, we were able to reach our quality bar far sooner
than we originally anticipated," it said.
In his
blog, StillSecure chief strategy officer
Alan Shimel wrote that for better or worse, third-party patches
are here to stay.
"Basically, my feeling is that it is like playing Russian
roulette," he wrote. "However, with this latest VML vulnerability
and the subsequent patch by ZERT, I am beginning to think that my
opposition may be akin to spitting in the wind."
He said people unwilling to wait for Microsoft's patch cycle to
address this are going to take their chances. "I do not think this
will work for large enterprises," he said.
"Generally, they do not put out patches willy nilly. However,
for small businesses or consumers, they are going to be driven into
this."
The general lack of enthusiasm for third-party patches is
consistent with what IT professionals have said during recent
interviews. Most said
they'd never deploy a third-party patch in
their environments because there's a risk that these fixes could
actually introduce new flaws and make matter worse.