Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Inside the Third-Party Patching Conundrum



 By: Ryan Naraine
2006-09-29
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Inside the Third-Party Patching Conundrum
  2. ' Page 2 '
  3. ' Page 3 '

Rate This Article:
Poor Best
Inside the Third-Party Patching Conundrum
( Page 1 of 3 )

The emergence of a high-profile group of security experts offering third-party patches during emergencies has reignited a debate on the pros and cons of deploying unsupported product upgrades.

The emergence of a high-profile group of security professionals promising third-party software fixes during zero-day attacks has rekindled a debate on the merits—and risks—associated with deploying unsupported product updates.

The Zero Day Emergency Response Team, or ZERT, stepped out of stealth mode on Sept. 22 with a stopgap patch for a VML (Vector Markup Language) flaw that was the target of drive-by malware downloads—and, with a roster of well-respected security professionals on board, the concept of using a temporary fix ahead of Microsofts official update gained instant credibility.

Click here to read about ZERTs emergency IE patch.

Marcus Sachs, a former White House IT security expert who agreed to serve as corporate evangelist for the ZERT effort, said third-party mitigations will become even more important in what he describes as "a nasty zero-day world."

Resource Library:

"This patch is just another arrow in the quiver. These guys [in ZERT] are some of the best-known reverse engineers and security researchers. Its a tight-knit group that has worked for years to make the Internet a safer place," said Sachs, in Washington.

"This isnt a patch created by some guy in a basement. Its something that has been tested as rigorously as humanly possible," he said in an interview with eWEEK.

Sachs, who serves as a deputy director in the Computer Science Laboratory at SRI International, stressed that third-party patches should always carry "buyer-beware" tags because they are unsupported, but he believes IT administrators should strongly consider testing and deploying updates during emergencies.

"In this case, Microsoft had not yet issued a patch, and we had already confirmed zero-day attacks were spreading in the wild. Were not telling anyone to use it; were just offering it as an alternative," he added.

The ZERT patch is the third instance this year where a third-party fix was pushed out ahead of an official Microsoft update. In January, at the height of the WMF (Windows Metafile) virus attack, reverse-engineering guru Ilfak Guilfanov created and distributed a hotfix that was endorsed by the SANS ISC (Internet Storm Center), a group that tracks malicious Internet activity.

In March, two well-respected security companies —eEye Digital Security and Determina—shipped hotfixes for Microsofts Internet Explorer to provide cover for a code execution hole that was being attacked. eEye, in Aliso Viejo, Calif., claims its patch was downloaded more than 150,000 times in a two-week span and said feedback from IT professionals confirmed that there was a desperate need for third-party patches, depending on the severity of the public exploit and in advance of an official patch.

Peter Coffee has zero tolerance for Microsoft Office. Click here to read his analysis.

"Is there a need for third-party patches? Absolutely," said Ross Brown, CEO at eEye. "Most of the customers that downloaded our patch [in March] were from corporate domains. They were testing and deploying on thousands of systems. We know for a fact that people found it valuable enough to use it."

Next Page: Frustration over Microsofts slow responses.





  Reader Comments: Inside the Third-Party Patching Conundrum
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks8q8cH)ٖcXRMV(8H.I?q /=hv2sTl n4~$I Ӟc-Jg1ȣw&$5~]!4i=*_rdx9%GFԲ|W軫F]̉]ύP/?`᳑,Q :':@PL9uΜM9'ԗoO~e0.ZAq6*6!j:a?XX$1qHH.{H~Vh4HXޢر7{Xd33ݛ6BT|HJk4ًqG/w0Ə{/<Pcw̪0}dh9[P;Eyah -\r."Lѽ[@ *YNrDƞ4HCKh;Fýб}2|p `r*jXtGL: nK>1`:x =3~4dȢq/!)$fʀ [8#/6<{ex6ܳL]b#6fJmCO|l ݟR>AGc"S9ˡ,Fp氢,sti #M-jZUQ bkG{Q>oچs[=0q)sș[7~](eU]ϯr$Qw۷ܖu`*:n{'Owq@.{A Vb;}" @D%\.fI"0iMmdڽ~H}AFI?j;jkMюR=%i̮g fZҘ 'UUjH,qT~6.vEv ;lM,!R42V,^YHwE%M{#gkr>i>;sِ(lnAZ|[mUV7`K6O^E[CyCa#U#1t=ji>_OHN‰,O? `HmDi[ܺ̑\ yǛkaXY|Dͼ94o o 3E@;- uj 0k:j56kiJuf!0ND97fIs(,eg{AN)61tkM`3R˼IK2_VJ-ɿEh+dԌө$ɛ!"ˆG9xW,ʹc䁉1SUҽT7ws 9tipv^nVVՉ:YXYufjZnY?iQw9qj?^NI{Nk~hNj #\LoZ` \V)b1xh,VPQoaG-djˠqaeBݠc}nywσ`DhgEG>9Շm'RCGstDAG6V^lzK $ 47P}HOQI$w8=ss aKUԇQ߭D#m|*>ld(4(sɹw[XLLσ JC͋ư2+?>f9N@Fܧ}MrA=39nZд@c@] cRRP$C_MPԤv9BB !\60 HV(ZDBjԂK%Nk@G҅3qjP*bJZ ׸~)Pٚ*,'LGѺ̈́VANDlPPW)Д /k|*~ (tzSO Όŕ$ЊOWm?زZdY6~%afsP*oWuR@_F*ۊxceFuOGi+-mB IP֦(X kezxE:*&]7u(=Ts ( XTM.R?>2ai;aՒhx K[@ x@nH ~g&ʥë ;q\cOs=: 7S=`kcg@~AQ9sGQB-C,8cR*}a3*4&0S˹bp=q tX~l-\\CZ\S7aוּ/JM!}1l4]Z#C= D-0۠M E؄N6b^-!zhTԗKJAUc/`kLĽf62TsM[R9cDzlĠlE ]Q6-D:=G.5MH83[τOAE- 88qx3??uPV&<[J>F}`'|\scIF~OPaۘ34Q}q@6L,*IH՗bAQ OkMfB٧7_g>Ѐ!ak&A4b6BU.(L,:j1- [ Hg [^zo3C zoAaQI?IL< GGsͧ==1c* *3@@dVBc{ZYUKZTp}*xϹoǼM]:1h_₯/ݩQo>+vo?UMwK\ f>#]ܧaSaSF]TFh\odHX]M;H@OeƚR*%1c0uKNjZ0=: ͼz4_&?L!'Ic$+pD昜QOM4T;'PR,ΓeO#c#lʂtx!WMUm#ݚ `1}jDa#B",`f0%) =m6QJs8ԿEvλԴ)R+b::>JЯצ瞏+ӥ lć]L5}-dq]U*jAe߯y ^> ) LuPȐh%3G 2ݩp>xdV}P@MnΚB=Gm@$L|%4S(O;_VMONVШ4> s7}&-ov3Ot[̍<9u2E8Z.@1J,;E9Ȳ (`1BnuItLeclby@3#[4OQkh9 2<(ZB7X;"+۝,k0IeXfj 㪧RRU@V 3ˁ#_.qDz[TUe@5yH3m9 =EЋqc<u^8q?TYe)(@qc@@f "RrMuY;tЊµ7*6P#I+*~ EGQuzd*+ZR< +8r=-hxў2G+++e-2۹in.9 4˷KV-,sKiʌg _|r]rf)uyā5C/-iBsEr`0S4$NVpDMc? )2?0T OL3 hQˤ̛gg]4g?Y7Xy*?q31Cϔ:ɹT.jZl[)Uʹfc"0`!0X>2(s,~W9ـo9 |\V*Zd>C`t>X8'?lgH # +So~.RHC$ |\J8 ;}XPf73 991t/x߹~Ъۣ[ $^f}p;nnow/ +9o?8{>kq 2 }"/O[8$#_?\w?^JNCM q ߲oQR=H3 r!CG$=ĸ}/gvj/?H׼mv: 72wDH4rӼо_>^tU#rѾlI^+Q\#'R9!pUV:aSڎ6N #Z[?8i4rG/=}iR_Ku͉|9kI*D|=d_5gHܰGhN٩{k*Q Bb/3bA!I|JgGهAP#{ ~ P)'$Est%;-38^t}Ih !酘:Ua2"(BRHHO—,v:^79Q%l6w F㯊Nd^K+tuZ-[N7S+dI;D_q+ kNz4&s\3[5ntDdLp l_{`Ecrz4-_w JE5P!ARB9kũ-xOӖO|BB[aJ;ńOa2ބu?Is6vH$<1KђL)dJHÃ!F =)!*چI$28J542 eI? U4㓘PVl iWɂ#'59ݻ< /.iw>6V"#&0Gv\%0Ґ qo4/…@ Rr;8%Ţ鳁᪖}+ ŏhuZ]- U9$y/tϯZEbݙms==vkx%NdQ:ZZ1ߠnOZ\hta|`|;=3F'5L{hF v-QM xV=;0 4 hw-{xoCƆ'u?y{do&=0Yz$AC~gN~ℜ7o;~[oue's7)۽tNimơ8 ^l"$$yUZU3$]d%]F vZxA2M3}%3 -яKni^x wg[1rfeo}I>]bwP(;<_b}[t]"ekFOWEKK㜏qzejГGmחB}޿ȿ LĴhg2h덫{LsLxj Yj4&K-x<^79wFf#AVާA3qlŨ`jox?'sfd2E3V_|`ɤbN/_G|8/ j$3 ضэЧJFSA7\MrP\YdNCƋ RzV VCxz/sF=7QV~F?-z0LN4oIot٩ƆVPs& 9!(q(obdJ](@h3% #P[2<ᐗ㎱b7L%;;3 .s zQִL<ǰIrox;c [4,&,h˰Qs^;-ĊFV#Mt0.=3pebPGP;ΊX;ˌI-:*H[ :a;o#b%>,xDdNJ]y3v؃HPNF:^NXMƆaZ!q= i*'G&ՉO+J6Ü7bo9%$(7CfH+w KV6x}yyݱ993> mo%^Z+dd8xbOM/Sc Eʅg*Lhdz PբV0(ڱJB܎BE+&A}-\HOKU$Wܪ{,ѣ-D#:DbȌ-ccb[Nrŏ(.umڿwb UOFD'P]}!7.%Y9$j[?k6{1KMH{THG9ٙ{,pCr}:C$D @$ "! ]9m&[۹1HR|t%0d 5QyK{y[S:v0*N Ojځ fDT!XFU$V-' =Ff&IwnnnnzMrRmZ,5/{Ǹ9\|o%0WYZz !!l^7^Ƕ{4mض6-۶6Tr t> K񘅤ԉ\2h#\rD<"ᓴ!WC//OCFi{:>]1p2K؋yIUd:*q(vM?UA?@{UeH^8,TPƱP橆c18<4? G^ 4~OAKi=n1Ԓԁ=r5`d%]Qǵd&b3=|:PN@"^WAz}=w{cRB1q<ۭg2ЬzVVŨ([cUbwh&hRm}LęG}69D $h On#oXa. oͺ, ԯifH=F,<K\8gP)=ho.{Hhh %'?[>yŞw~fθ[֟kB *^kSB./+ߚ'(ncڍ1N} DQMl߼ÿ ٩eLfFRsom-[o6௶eqla}1Ǖ=uaYmsm-6,љsGW"IeaX -]_p ț@- @ȼ#MlD5VfX(l%"Q0M_%,⌱fnm9s?nH4Rk "D+ɻt zD(saVӯK{~i[ {T_߷8V1H̋״d=II7m&$f)Zaz8S[~xv1 B1P1+§\3ovbOC|tqt{Qy1Jũ߳yHY1zX6c ~VxrZLvE`qĴ}ΐ+BqñŃMW7ֺ ˟* O2ŇOXtQm @LQӬfPu!ۿT}frwQ>rs-X2UBSNUǏ{'s:^я{#TXTCa5AƵ@)%.OՀz[#$~C!R8{=1*(5toTxul?mEXt` aB(hFHAwy4%~D?S9E=1k>V8΅/ {'94i>sJ]ILa!-(!-DqaIz+7&sψ$9quMIm$i 0JЍ?V&gBx@ ,%9n"wya/`<ĒAGIw(p#(4o&vn =B2)lW-TsZ.Wu䫚RѪEUz7 pv+cn5XV襍ҵτ8'p{ht; m Hh)#v.CN H Wkn3R)59/R\mD 9v|E#/Vkў2,9)ߛt_ahKZI<+. Nc1q2.ȹn붩t$4 KGk`\adZs{G< )(q5 _]@x8?AnIݴX7Њϟ=o·IׄQT1w) :{ᛂrPZ- G_ 6aVzgZq!G)|l}o #d2zޘx6e# kʊWH7}H[g'郀tZ!rK/~m#kN1H3:A~;n~)5q cpT`sԪϪ2d5B&(qik8<4>|?_zYu`nO[Za kE$06C#B s<3D@E^´G֜ iu3ScA=۾blUo%P`qT83nj=J<|WHE/ą"t]\"@J>S|נѠ??'~%\I0|ln h`̃2uEܹ]ez?>sOe~qt6=KqftdˡQ(b:M u?3ɏKݜ(8&j9It!CK/HFzNsZacF]a_N͑/#~|aЇ9\ 3+z+U”P*:P |+V0c_Չ(ߺoS|]wV7Xz+i+K9Iˑ1*Yw߅< *eŵ?hF39^&9nHq}ow/q{5} '\MGݩ;'ݫgukx S6/M&ƋBy2 gN)sS9,jO4dȀW.}QQY\mę]/~D0/& F: 񏁦uӲr Ϗgw:.꿘.9q Χ}uR@\Js@AC|k]N{5BJe@B_ KF5_o?i63GJo?2O ds,?2#ܜ5ۛۧF4#gڗvF2?C">vNt`w~' >ී৓1g'>;@ D'ew {1?s w1]7]? ͐/W@Wq2_\gO诟A@?6A_ SV>S>>eo~o2ڿh&k$eCnNp3Kq /Wa uy_ yVV ?^`fkWx.rg e{9;k?[_W'Bh\jzr+*޲fimTv+iAư[x.6Q^/UZ%+ޤQ.a 3l>VLY[lOмz' Jܓs+Z`~J\]%ds+e|Ufe+tV1&ϋR<=s| CG0U5yhznyG~|_<ڻsϬMU5IAm(!9q}»2SwsفGjߚD,| eHIZ-n>Qއ^V_0n:xfW=u}ټ\5?X= 쓥/>gA7gn"B8C0 dp=s.ʼnS ;wM-=CO_ N镺.{4ǽ {1ueIP*5VZ*я{_5"mz@FfDdU*[ZX,g/g2l]gۆJZCO\3CX.ḇ}l5@ PxmE}+cXAV7/\FսD<'M~ m

[=6bRFՏHc֠}Q1H45~; ū:aсYk{nD8sx2&Q_ ɝXܐbpf`)OF.lHpyusڹ Y9ﺮF)\!)/Հ`;wj#fL~^::TǛ</ bO|(pIi`gĈ{x Lmb[>/I0u=v`t[&<˄LYRcm^+%aI㿄$Rv&:/s@{ S΢H|\֊,#!1˄I Mc Vj*q9wid:Xzt<&Ѡ_0#2:'DJ  Vi 궯EݩcFi_cͅ x{p?`jød|EBU}C 1̅{ԟ#1P YY/u8:\5m$=IKh4[5b8gK›JrJcw]/I)H[aȹD.Iw7隽vA7J-{XL "a'/"^= g _H6GD!qYб ߚQ DOY2vy>=|nZQږy@6awW(HYE҆/@B`ɑX)u'lnȯd)0Py4w<p"I>n809խ`*s<`2x̴u{$/;vc3)GNJph)hF}y?Y u+ 1ml.; ;C:bx:vCA\U C 恜0њYԘPWGQ:ۓ|?oe{:з57d(Z|ӽE^hFq:h I W9:-  `⍈me@eV9H\*,yf 4 vkf_N[ƝMQr,#<[^ҵ<ok5+owt-(%x0;n·Oyk[(| _a[P~Y JbA,\2;>Ŗi3x}@ = oF85`y+@04{W 21Sg^)ZwA#$c-:ԭ8?P0h߀~c&QyN܌1GtD]T[) ʢS6M 9ߵS3p߼,ۿvyFXg3# cgb@xO=_qxF| /Xl c)dv̄6 !yyuvҕ ^袸ɍIF`c^d;+)ؐ9r{0bO1l Qv7}`F*)AuҰ· xsWeH"<-]8S|gvC%ۄ6:L] l&j4b>Y{& LW{څ$hxj< nh1 d'kI'R la$:R3 Eh z.t3\04yv\󡳼p)ϩw{_|Iެd;J s=I9~p _YG/X]0^0ʳe_:kvK%l~Z~v^?;k_ZayBcFLl47E:?CKɯ/OI2V]5OOۗ񱞽T7vqr9̳ǠbP7]ӨZY$IL#;ou['- ].IM)V [=jvB[W셫Qbm٦d Ui29Z}) qͫ֫4>%(1vlƝl n!%56|L=_k EW0b'