For Dave Goldsmith, president of New York-based penetration testing company Matasano Security, a third-party patch should only be considered as a "last-ditch option" if there is a service at risk thats critical enough that all known mitigations are insufficient. "In that scenario, I would recommend it for enterprise clients, provided they are comfortable with any risks associated with potentially violating support contracts," Goldsmith said. "They would need to test it extensively first, [but] the real problem with this is that an enterprise has little recourse if the patch breaks things, or is in fact malicious."The groupwhich boasts a roster of volunteers that includes Halvar Flake, CEO and head of research at Sabre Security; Paul Vixie, founder of the ISC (Internet Software Consortium); Roger Thompson, chief technology officer of Exploit Prevention Labs; and Florian Weimer, a German computer expert specializing in Linux and DNS (Domain Name System) securitywill roll out hotfixes from Windows 98, Windows ME and Windows 2000 (pre-SP4). Businesses running those OS versions now have to pay for custom support from Microsoft because the software maker does not offer free patches for out-of-support products. There is a general feeling that ZERTs patches for older OS versions could prove very valuable, but, as Johansson explains, "It is misguided to think that patching a single issue will prolong the life of a system designed to a threat model that was accurate eight to 10 years ago. "I cant recommend anyone to patch, or even stick with, an out-of-support operating system. The fact remains that this is only one issue those systems are vulnerable to. They need to be replaced with up-to-date systems. It is not prudent risk management in my opinion," Johansson said. According to eEyes Brown, the big win from the ZERT initiative is an acknowledgment from Microsoft that its rigid monthly patch cycle is not always a practical approach to securing its customers. "I have no doubt that ZERT pushed Microsoft to go out-of-band [with the VML patch released on Sept. 26]," Brown said. "It puts pressure on Microsoft to be more responsive to serious issues. They wouldnt have gone out-of-cycle if ZERT wasnt there, offering an alternative that theyre uncomfortable with," he added. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
According to ZERT spokesman Gadi Evron, the group plans to release VML patches for out-of-support Windows versions, offering an option for businesses still using older OS versions because of application compatibility concerns.