Inside the Third-Party Patching Conundrum

The emergence of a high-profile group of security experts offering third-party patches during emergencies has reignited a debate on the pros and cons of deploying unsupported product upgrades.

The emergence of a high-profile group of security professionals promising third-party software fixes during zero-day attacks has rekindled a debate on the merits—and risks—associated with deploying unsupported product updates.

The Zero Day Emergency Response Team, or ZERT, stepped out of stealth mode on Sept. 22 with a stopgap patch for a VML (Vector Markup Language) flaw that was the target of drive-by malware downloads—and, with a roster of well-respected security professionals on board, the concept of using a temporary fix ahead of Microsofts official update gained instant credibility.

/zimages/1/28571.gifClick here to read about ZERTs emergency IE patch.

Marcus Sachs, a former White House IT security expert who agreed to serve as corporate evangelist for the ZERT effort, said third-party mitigations will become even more important in what he describes as "a nasty zero-day world."

"This patch is just another arrow in the quiver. These guys [in ZERT] are some of the best-known reverse engineers and security researchers. Its a tight-knit group that has worked for years to make the Internet a safer place," said Sachs, in Washington.

"This isnt a patch created by some guy in a basement. Its something that has been tested as rigorously as humanly possible," he said in an interview with eWEEK.

Sachs, who serves as a deputy director in the Computer Science Laboratory at SRI International, stressed that third-party patches should always carry "buyer-beware" tags because they are unsupported, but he believes IT administrators should strongly consider testing and deploying updates during emergencies.

"In this case, Microsoft had not yet issued a patch, and we had already confirmed zero-day attacks were spreading in the wild. Were not telling anyone to use it; were just offering it as an alternative," he added.

The ZERT patch is the third instance this year where a third-party fix was pushed out ahead of an official Microsoft update. In January, at the height of the WMF (Windows Metafile) virus attack, reverse-engineering guru Ilfak Guilfanov created and distributed a hotfix that was endorsed by the SANS ISC (Internet Storm Center), a group that tracks malicious Internet activity.

In March, two well-respected security companies —eEye Digital Security and Determina—shipped hotfixes for Microsofts Internet Explorer to provide cover for a code execution hole that was being attacked. eEye, in Aliso Viejo, Calif., claims its patch was downloaded more than 150,000 times in a two-week span and said feedback from IT professionals confirmed that there was a desperate need for third-party patches, depending on the severity of the public exploit and in advance of an official patch.

/zimages/1/28571.gifPeter Coffee has zero tolerance for Microsoft Office. Click here to read his analysis.

"Is there a need for third-party patches? Absolutely," said Ross Brown, CEO at eEye. "Most of the customers that downloaded our patch [in March] were from corporate domains. They were testing and deploying on thousands of systems. We know for a fact that people found it valuable enough to use it."

Next Page: Frustration over Microsofts slow responses.