AOH :: ISN-3079.HTM

Inside the Third-Party Patching Conundrum

Inside the Third-Party Patching Conundrum
Inside the Third-Party Patching Conundrum,1895,2022366,00.asp 

By Ryan Naraine
September 29, 2006

The emergence of a high-profile group of security professionals 
promising third-party software fixes during zero-day attacks has 
rekindled a debate on the merits - and risks - associated with deploying 
unsupported product updates.

The Zero Day Emergency Response Team, or ZERT, stepped out of stealth 
mode on Sept. 22 with a stopgap patch for a VML (Vector Markup Language) 
flaw that was the target of drive-by malware downloads - and, with a 
roster of well-respected security professionals on board, the concept of 
using a temporary fix ahead of Microsoft's official update gained 
instant credibility.

Marcus Sachs, a former White House IT security expert who agreed to 
serve as corporate evangelist for the ZERT effort, said third-party 
mitigations will become even more important in what he describes as "a 
nasty zero-day world."

"This patch is just another arrow in the quiver. These guys [in ZERT] 
are some of the best-known reverse engineers and security researchers.  
It's a tight-knit group that has worked for years to make the Internet a 
safer place," said Sachs, in Washington.

"This isn't a patch created by some guy in a basement. It's something 
that has been tested as rigorously as humanly possible," he said in an 
interview with eWEEK.

Sachs, who serves as a deputy director in the Computer Science 
Laboratory at SRI International, stressed that third-party patches 
should always carry "buyer-beware" tags because they are unsupported, 
but he believes IT administrators should strongly consider testing and 
deploying updates during emergencies.

"In this case, Microsoft had not yet issued a patch, and we had already 
confirmed zero-day attacks were spreading in the wild. We're not telling 
anyone to use it; we're just offering it as an alternative," he added.

The ZERT patch is the third instance this year where a third-party fix 
was pushed out ahead of an official Microsoft update. In January, at the 
height of the WMF (Windows Metafile) virus attack, reverse-engineering 
guru Ilfak Guilfanov created and distributed a hotfix that was endorsed 
by the SANS ISC (Internet Storm Center), a group that tracks malicious 
Internet activity.

In March, two well-respected security companies - eEye Digital Security 
and Determina - shipped hotfixes for Microsoft's Internet Explorer to 
provide cover for a code execution hole that was being attacked. eEye, 
in Aliso Viejo, Calif., claims its patch was downloaded more than 
150,000 times in a two-week span and said feedback from IT professionals 
confirmed that there was a desperate need for third-party patches, 
depending on the severity of the public exploit and in advance of an 
official patch.

"Is there a need for third-party patches? Absolutely," said Ross Brown, 
CEO at eEye. "Most of the customers that downloaded our patch [in March] 
were from corporate domains. They were testing and deploying on 
thousands of systems. We know for a fact that people found it valuable 
enough to use it."

Joe Stewart, a reverse-engineering specialist at SecureWorks, in 
Chicago, said he volunteered his services to ZERT willingly out of 
frustration with Microsoft's slow response to the threat. "Microsoft 
needs to start paying attention and recognize that there's a need for an 
out-of-band patch. It's somewhat irresponsible to tell customers to wait 
two weeks for Patch Tuesday while computers are being hosed with 
malware," he said.

But not everyone is jumping wildly onto the third-party patching wagon. 
"I will not use the unofficial patch, nor can I think of anyone I would 
recommend it to," said Jesper Johansson, a former Microsoft security 
consultant now working at a Seattle-based online retailer.  
"Personally, I worry about putting unverified and untrusted binaries on 
my system, and about the likelihood that they are going to be any higher 
quality than the ones Microsoft releases."

Johansson believes the decision about using a third-party fix is a risk 
management issue that has to be weighed properly. For a business with 
high security requirements, an unofficial patch could be practical. "If 
your risk and the cost of the attack are very high, then you may want to 
consider the unofficial patch, but I cannot in the best conscience 
recommend it right now," Johansson said.

Susan Bradley was faced with that exact scenario during the recent VML 
crisis. As partner and self-described "chief cook and bottle washer"  
at Fresno, Calif., accounting firm Tamiyasu, Smith, Horn and Braun, 
Bradley weighed the risks and opted to use Microsoft's prepatch 
mitigation and avoid the ZERT fix altogether.

"For me, it's a support issue. I can't install something on my systems 
that is unsupported. I'm just not comfortable with a third-party patch 
that takes a machine out of support," Bradley said in an interview.

"It's a risk management issue for us. I just can't take the chance and 
bet on an unofficial fix. The cost of putting my network out of support 
is just too high," she added.

For Dave Goldsmith, president of New York-based penetration testing 
company Matasano Security, a third-party patch should only be considered 
as a "last-ditch option" if there is a service at risk that's critical 
enough that all known mitigations are insufficient.

"In that scenario, I would recommend it for enterprise clients, provided 
they are comfortable with any risks associated with potentially 
violating support contracts," Goldsmith said. "They would need to test 
it extensively first, [but] the real problem with this is that an 
enterprise has little recourse if the patch breaks things, or is in fact 

According to ZERT spokesman Gadi Evron, the group plans to release VML 
patches for out-of-support Windows versions, offering an option for 
businesses still using older OS versions because of application 
compatibility concerns.

The group - which boasts a roster of volunteers that includes Halvar 
Flake, CEO and head of research at Sabre Security; Paul Vixie, founder 
of the ISC (Internet Software Consortium); Roger Thompson, chief 
technology officer of Exploit Prevention Labs; and Florian Weimer, a 
German computer expert specializing in Linux and DNS (Domain Name 
System) security - will roll out hotfixes from Windows 98, Windows ME 
and Windows 2000 (pre-SP4).

Businesses running those OS versions now have to pay for custom support 
from Microsoft because the software maker does not offer free patches 
for out-of-support products.

There is a general feeling that ZERT's patches for older OS versions 
could prove very valuable, but, as Johansson explains, "It is misguided 
to think that patching a single issue will prolong the life of a system 
designed to a threat model that was accurate eight to 10 years ago.

"I can't recommend anyone to patch, or even stick with, an 
out-of-support operating system. The fact remains that this is only one 
issue those systems are vulnerable to. They need to be replaced with 
up-to-date systems. It is not prudent risk management in my opinion," 
Johansson said.

According to eEye's Brown, the big win from the ZERT initiative is an 
acknowledgment from Microsoft that its rigid monthly patch cycle is not 
always a practical approach to securing its customers.

"I have no doubt that ZERT pushed Microsoft to go out-of-band [with the 
VML patch released on Sept. 26]," Brown said. "It puts pressure on 
Microsoft to be more responsive to serious issues. They wouldn't have 
gone out-of-cycle if ZERT wasn't there, offering an alternative that 
they're uncomfortable with," he added.

Donate online for the Ron Santo Walk to Cure Diabetes! 

Site design & layout copyright © 1986-2014 CodeGods