To patch or not to patch: the third-party question

Free Newsletters

Log-in | Register

SECURITY ADVISER

To patch or not to patch: the third-party question Should you install third-party patches while waiting for the real thing?
By Roger A. Grimes October 27, 2006			E-mail Printer Friendly Reprints Slashdot It!

Microsoft Internet Explorer and Microsoft Office have been under a zero-day attack barrage for the last few months. In what is becoming a familiar cycle, Microsoft releases its new monthly patches on “Patch Tuesday," only to have a handful of new zero-day public exploits announced a few days before or after. The hackers want to maximize the time their zero-day exploits exist in the wild before Microsoft has a patch for it.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

Microsoft, using customer feedback, automated tools, and its participation in an anti-virus consortium, measures how widespread each new zero-day attack is. If the attack is truly widespread, Microsoft rushes the normal patch cycle and delivers the fix before the next Patch Tuesday release. If the exploitation is not widespread, which has often been the case, Microsoft waits until the normal Patch Tuesday cycle. Taking its normal time to create and test a patch normally means more stable patches (it’s even been a tough road there for Microsoft lately…but that’s another story).

Microsoft gets a lot of grief when it decides to wait until the normal Patch Tuesday cycle to patch a new zero-day exploit that is loose in the wild. The press is all over the latest bug, self-feeding on the hype. Even one of my favorite sites, dshield.org, gets on the bandwagon prematurely, dogging Microsoft for not delivering instant patches while millions of malicious exploits are supposedly spreading. In most of these recent cases, the "millions of malicious exploits" turned out to be fewer than 100 in the wild.

But perception is reality, and Microsoft takes it on the chin while the latest patches are being debugged. Whether or not the threats do become moderately widespread, consumers are left hanging in the wind until an official patch is deployed or some other offsetting protection (such as setting an applet kill bit) can be advertised and deployed. Most consumers never deploy alternate protections, so they remain unprotected until the official patch is deployed.

Because of this, several third parties have begun releasing protective patches to close holes until the official patches are released. Central to this phenomenon is the newZeroday Emergency Response Team (ZERT). ZERT is a talented team of programmers and security experts dedicated to creating patches when the official patches lag behind popular demand. ZERT’s ZProtectorframework allows third party Microsoft Windows patches to be created and deployed, while eliminating the need for the third-party patch to be uninstalled once a vendor patch becomes available.

Other professionals, such as Dr. Jesper Johansson, a former top Microsoft security employee, recommend offsetting defenses that defang zero-day code. Jesper recently came up with some solid security fixes that could be quickly deployed using group policy.

Microsoft and many other security experts warn customers against deploying third-party patches and fixes. Most customers should strongly consider this advice. For one, third-party patches and fixes are often not as thoroughly tested as well as an official patch. A Microsoft source once told me that each Internet Explorer security patch undergoes thousands of regression tests before it can be released.

It’s also true that third-party patches have caused more problems than they solved. Even Jesper’s excellent VML protection script caused problems on a certain class of Windows computers in a common patch scenario.

But with the official warnings in mind, I feel that any company with a knowledgeable administrator who has the time to test a third-party patch or fix thoroughly can benefit using third party patches and advice in times of crisis. Some of these sources are quick to respond if something does go wrong: Jesper made updates to his fix-it advice as soon as he became aware of the problems, for example; ZERT appears to be making the right choices in how it applies its patches, not modifying the original impacted executable.

In my opinion, if a widespread exploit is high risk in your environment, you should consider testing and deploying a third party patch or fix. Management should be made aware of the nature of the third party patch, the risks, and give final approval. And as with any new patch -- even official patches -- you should test thoroughly and have a tested reversal plan in case the medicine is worse than the disease.

E-mail

Printer Friendly

Reprints

Slashdot It!


	InfoWorld Test Center Contributing Editor Roger A. Grimes is a Foundstone Ultimate Hacking instructor/consultant teaching Windows, Linux, Unix, and Solaris security. He is also the author of several books, including Malicious Mobile Code: Virus Protection for Windows. • More of Roger A. Grimes' column Newsletter Check out all of our free newsletters! Enter e-mail address:

TOP NEWS:

» Sun's expanded storage lineup takes on data boom
Sun Storage J4000 arrays can cost just $1 per gigabyte for bulk storage, with significant savings resulting from free software

» Hands on with Giga-byte's M912X mini-laptop
Giga-byte netbook's 8.9-inch touchscreen that can swivel around 180 degrees makes it stand out from the rest of the pack

» Google tool creates 3D social spaces on Web sites
Google's Lively platform integrates with the regular Internet, enabling users to create a 'room' and embed it with their Web site or blog

» Microsoft innovation winner finds gold in green
Imagine Cup winner develops a way for people to report environmental problems with their mobile phones

» Symantec warns of new Word attack
Symantec says cybercriminals are exploiting an undisclosed vulnerability affecting Microsoft Word

» Microsoft vs. VMware: Rumble in the virtual world
As Hyper-V marks Microsoft's entry into virtualization, market leader VMware must consider new strategies for survival against the software behemoth

Remote Access: Maintain Security and Decrease the Burden on IT
Join this interactive webcast to discover how IT Managers can control access rights, end-user security settings and end-point authorization. Sponsor: Citrix(R) GoToMyPC(R) Corporate

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Consolidating Workloads onto Mainframes - The flexibility, efficiency, and reduced cost of ownership virtualization provides makes it extremely compelling to large...
Transformational Analytics: Virtualizing IT Environments - The overwhelming complexity of the modern data center compounds the problem of how to safely virtualize IT environments....
Wide Area Data Services - Finally - some clarity in the application acceleration and WAN optimization space. Find out how WAFS, WAN optimization, ...
Five Ugly Truths about WAFS and Caching - WAFS and caching are approaches used to accelerate specific applications. They sound good in theory - saving bandwidth and...
Advanced Workload Analysis Techniques - After business and technical constraints have been analyzed, virtualization planning becomes a trade-off between how much...
Refine your company's plan for a Business Disruption Event - Many firms fail to consider how lines of communication will stay open in the event of a BDE. Make sure your company's mobile...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
CA - Efficient - Flexible - Compliant PGP - Is Your Data Safe? Novell, IBM, and Intel - Solution for Open Virtualization Provides Server Consolidation Curl - IT Guide: Rich Internet Application (RIA) Security HP/Intel - If you don't have enough I/O, your VMs aren't going to go. Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. AT&T - Factors to consider when comparing DSL or Cable Cirba - Advanced Workload Analysis Techniques Rackspace - Go Green Without Sacrificing Server Performance CA - Manage your IT more effectively. AT&T - Measuring mobile productivity AT&T - Thinking about IMS CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event AT&T - Going mobile with today's technology Cirba - Consolidating Workloads onto Mainframes AT&T - What to expect from a Technology Assessment.		AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist