ZERT rekindles third-party patching debate

This week in Security Blog Log: IT security pros express more reservations about third-party patching, including the CEO of a company that released one a few months ago.


The blogosphere this week looks a lot like it did back in January, when Russian programmer Ilfak Guilfanov released his own fix for the Windows Meta File (WMF) flaw. The flaw was attacked on a massive scale, forcing Microsoft to patch it early.

This time, the blogosphere is abuzz about an organisation called the Zero-Day Emergency Response Team (ZERT) and its emergency fix for the Internet Explorer Vector Markup Language (VML) flaw. Like WMF, attackers have had a field day with VML, and Microsoft rushed out an early patch.

Patchlink also released a VML solution, but much of the blogosphere focused on ZERT, with a majority of people uneasy about the idea of using a patch that isn't from the supplier.

ZERT member Randy Abrams acknowledged third-party patching is risky in an interview with SearchSecurity.com this week. But with zero-day threats on the rise, IT professionals need extra tools to choose from so they can protect their networks while waiting for Microsoft to act, he said.

About Security Blog Log:
Senior news writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:

The new clearing house for flaws

If e-thieves want your vote, they can have it

Word doc scam evades spam filters

But some bloggers weren't sure that third-party patches are a tool worth having, including Ross Brown, CEO of eEye Digital Security, which released its own fix for the Internet Explorer (IE) createTextRange flaw back in March.

"While it would be easy to assume… that eEye would be all over releasing third-party patches as a commercial entity and while we have gotten advice from an analyst that this would be a great business … I don't think third-party patches are a great idea," Brown wrote in his Technobabylon blog. "They are a necessary evil that should be used sparingly."

He compared third-party patching to a virtual game of Jenga, where, over time, an unstable pile of code builds up in the system. "Adding third-party code that changes the basic functionality of the system isn't hard, but it is really hard to do well, especially as time passes and the other parts of the 100 million lines of Jenga code get moved around," he said. "Third-party patching is like playing Jenga blindfolded at best."

When eEye released its third-party fix, Brown said the firm got it right by following these design principles:

  • Touch as few parts as possible to mitigate the flaw
  • Be aware of the official patch and disappear once that patch was installed
  • Be aware of the version of Windows, including languages and revisions, to patch correctly.

Another blogger, who only uses his first name, Michael, in his MCW Research blog, wrote that he didn't know enough about ZERT to recommend the organisation's fix. But he liked that ZERT's action shined a spotlight on the severity of the IE flaw.

"This does emphasise the severity of this vulnerability," he wrote. "It's frustrating to me that with an application as widely distributed and used as IE, Microsoft isn't quicker to the punch with releasing patches. Patches are by design reactive security. However, Microsoft is making them even more so by waiting until there is a wide-scale impact before they'll rush a patch.

He said he's a huge proponent of a beta patch program where Microsoft could release patches rapidly without having to perform 100% regression testing.

"In some cases I would most certainly weigh wide-scale compromise as more important than wide-scale application problems in my network," he said. "I want that choice and Microsoft is not letting me have it. They are making that decision for me."

But in its blog, the Microsoft Security Response Center noted that it got the patch out well ahead of its initial 10 October timetable. "Through some really top notch effort by all our testing teams, we were able to reach our quality bar far sooner than we originally anticipated," it said.

In his blog, StillSecure chief strategy officer Alan Shimel wrote that for better or worse, third-party patches are here to stay.

"Basically, my feeling is that it is like playing Russian roulette," he wrote. "However, with this latest VML vulnerability and the subsequent patch by ZERT, I am beginning to think that my opposition may be akin to spitting in the wind."

He said people unwilling to wait for Microsoft's patch cycle to address this are going to take their chances. "I do not think this will work for large enterprises," he said.

"Generally, they do not put out patches willy nilly. However, for small businesses or consumers, they are going to be driven into this."

The general lack of enthusiasm for third-party patches is consistent with what IT professionals have said during recent interviews. Most said they'd never deploy a third-party patch in their environments because there's a risk that these fixes could actually introduce new flaws and make matter worse.

Read more on IT risk management