Our View: ZERT to the Rescue

Opinion: The emergence of the Zeroday Emergency Response Team is good news for users.

A new exploit is leaving your desktops vulnerable, but Microsofts patch is not due for another week. What to do? Faced with such a dilemma, many IT professionals are turning to ZERT.

ZERT is an acronym for Zeroday Emergency Response Team, a group of security expert volunteers who create patches for security holes, mainly in Microsoft products, and make them available to the public. If you download a ZERT patch, you do so on an as-is basis. There is risk. But ZERTs track record is excellent so far. According to what we can tell, its at least as good as any vendors.

We think ZERTs emergence as a player in the security arena is good news. Where users were formerly at the mercy of a vendor for patches, now they have choice.

ZERT is making its presence felt at a time when the security communitys eyes are trained on Microsoft as the software giant readies its Vista version of Windows with security features Patchguard and Windows Security Center. In addition, the 64-bit version of Vista restricts kernel access, barring security vendors such as McAfee and Symantec from the kind of contact with the operating system they have had historically.

While Microsofts moves change the playing field in the security market even as the company ships more security products of its own, we dont think Microsofts moves end the need for third parties—be they McAfee, Symantec or volunteer organizations such as ZERT—to strive to meet customer needs. And while antitrust watchdogs ought not to take their eyes off Microsoft, we dont think that Microsofts moves yet cross the threshold of anti-competitive behavior.

Just how Microsoft will respond to ZERT remains to be seen. While ZERTs success could embarrass Microsoft, we think that ZERT is very likely to be of real benefit, intentionally or not, to Redmond. Microsoft has benefited immensely over the years from its vast community of developers. Sure, ZERT is different, but what vendor wouldnt want volunteers to fix its products for free? And the presence of ZERT can only make customers feel more secure about buying Microsoft products—if Microsofts patches dont suffice, then its likely that ZERTs will. And ZERTs performance is likely to spur Microsoft to make its own patches better and to make them available faster.

Can you feel confident downloading and applying a ZERT patch?

Its your system, but ZERT has a good track record and the open-source movement seems to be doing pretty well at this point. Is ZERT infallible? No. Just because it hasnt erred yet doesnt mean it will remain error-free in the future. There is risk. So far, though, it looks like the risk may well be worth taking.

Tell us what you think at eweek@ziffdavis.com.

eWeeks Editorial Board consists of Jason Brooks, Larry Dignan, Stan Gibson, Scot Petersen and Lisa Vaas.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.