Joe Stewart, a reverse-engineering specialist at SecureWorks, in Chicago, said he volunteered his services to ZERT willingly out of frustration with Microsofts slow response to the threat. "Microsoft needs to start paying attention and recognize that theres a need for an out-of-band patch. Its somewhat irresponsible to tell customers to wait two weeks for Patch Tuesday while computers are being hosed with malware," he said. But not everyone is jumping wildly onto the third-party patching wagon. "I will not use the unofficial patch, nor can I think of anyone I would recommend it to," said Jesper Johansson, a former Microsoft security consultant now working at a Seattle-based online retailer. "Personally, I worry about putting unverified and untrusted binaries on my system, and about the likelihood that they are going to be any higher quality than the ones Microsoft releases."Susan Bradley was faced with that exact scenario during the recent VML crisis. As partner and self-described "chief cook and bottle washer" at Fresno, Calif., accounting firm Tamiyasu, Smith, Horn and Braun, Bradley weighed the risks and opted to use Microsofts prepatch mitigation and avoid the ZERT fix altogether. Click here to listen to an OnSecurity podcast about third-party patches. "For me, its a support issue. I cant install something on my systems that is unsupported. Im just not comfortable with a third-party patch that takes a machine out of support," Bradley said in an interview. "Its a risk management issue for us. I just cant take the chance and bet on an unofficial fix. The cost of putting my network out of support is just too high," she added. Next Page: "Last-ditch option."
Johansson believes the decision about using a third-party fix is a risk management issue that has to be weighed properly. For a business with high security requirements, an unofficial patch could be practical. "If your risk and the cost of the attack are very high, then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now," Johansson said.