The Third-Party Patching Conundrum

An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."

The important question is: Who is the third party?

Well, third party patches are being used and deployed quite regularly in the FOSS world. In fact, this was one of the points the Mozilla people tried to highlight in their recent trademark dispute with debian (mainly accussing them of shoddy patches).

It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it. I'll install a security third party patch by the debian devs but might think twice if it was by some one like Linspire (not because they are necessarily shoddier, just the question of trust).

Filters in the tubes

I never understood the need for security analysts, patches and all that. Why can't they just install some sort of filter in the internet tubes and be done with it? Maybe a good time to write Senator Ted Stevens?

No M$ bashing here...

I could see arguments for both sides. microsoft's own patches can usally be automatically updated without going to another website, but at the same time these third party patches are usally quicker to be released and i have to wonder, is it not like open source in the sense that many people are working on the same problem?

These people obviously know what they doing and to be quite honest with you, I like to choose whether or not i update my system with the latest patch that may slow down my computer or install sh*t i don't need. However thats for computer savy inidividuals like myself. however i don't see this really happening with the mass. People will just turn on automatic updates and click on that irritating flashing icon in the system tray. Who cares what it is, its obviously from m$ so it must be needed - so the thinking goes.

FOSS required for homeland security

As MS have a monopoly, then they should be forced to support the OSes or open-source them (their choice)

Given the fact that huge numbers of Win2k and Win98 systems are, and will remain in use, they must be patched deliver homeland security.

If MS won't release patches, surely it is incumbent on the US Government to force them to OpenSource them so that others can. The US government IS still supposed to deliver homeland security?

Better buggy-whips ?

It's getting more like a picture of who can deliver the best buggy-whips by the day. The rest of the world has moved on to cars and aeroplanes.

I 'stabilised' my Microsoft Windows a while ago; I don't actually require any fixes, if it catches a virus and dies then that is just the way of the world. The next investment will be in a Sony Playstation.

Any vendors who don't support it, I'm not buying what they have to sell.

I'll use them

I don't know anything about them, but when I get back to work on Monday I'm going to investigate with the hope I can use them to keep my old Windows installs secure. If they're doing patches for Windows 2000 then I practically have to at least look at the option. If Microsoft were reliable and didn't stop releasing security patches for "old" OSs, then I wouldn't need to.

I hope this really irks the people at Microsoft that make the decisions on when to EOL something.

Simply patching obsolete OS's would be more useful

It seems like lately, every time MS takes "too long" to release a patch, someone rolls out an unofficial one - and then this debate rages on whether or not that's a "good thing".

Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones.

It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way. (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company. Despite MS's assertions, it's still not realistic to expect everybody to migrate fully to Windows XP/2003 Server. Even the relatively small (under 100 employees) business I work for is still running an NT 4.0 workstation that drives an old voice mail system for our phones.

sliding scale

This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.

Oh, so it's not a patch created by some guy in his basement. But what about some guy in his parents' basement?

Providing Patches for Microsoft is Wrong

Microsoft makes it purposedly hard to work with them.
Their security is bad, and anything that encourage people to use their software is wrong.

It encourage Microsoft to continue to work as they are.

And therefore it actually lowers the global security of the Internet

And for the new setSlice

In other news, according to SANS, there is publicly available exploit code [milw0rm.com] out there for the new setSlice bug. According to Gadi Evron's post [securityfocus.com], "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable [sans.org]here [metasploit.com].

So what?

As far as I'm concerned, virus checkers, firewalls, all sorts of TSRs -- they're all patches. What's remarkable about a third party "OS patch"?

There are hundreds (or thousands) of applications that might contain critical vulnerabilities.

superpokes: nothing new under the sun.

Back in the good old days you would load a game on your Commodore 64 and prior to running it patch
it in memory with the POKE command in Basic to get you unlimited lives etc. Some things most obviously
never change, nowadays it seems you have to superpoke your windows box to keep it unowned.

Peanuts

From the gallery:

Peanut #1. If you are responsible for a data center or high reliability server or are within the standard support window, I do not recommend using a 3rd party patch. And I would go so far as to say that if MS server administrators were to do so at my company they would be fired. And the reason for this has nothing to do with security or vulnerability it is because if the server crashes after installing the patch you may need both the hardware and software vendors support. If you install a 3rd party patch on these servers and run into a problem you will more than likely be S.O.L.

Peanut #2: That said let's look at Microsoft OS's outside of the Microsoft support umbrella. Almost every company has a few legacy machines still floating around filling various niche functions. In this case, 3rd party software patches, isolation from the network, firewalls, and IP Filters are really your only options.

-The gallery

This should be obvious

Um, if you use an unsupported OS like Win98 for something see if you can do that same thing with Linux. If that 98 machine is used as a print server Linux can do the same thing, it can serve as a server that handles tape backups of high priority data, as a cheap alternative to MS Exchange server with 3rd party open source software, and even an Intranet server for in-house websites.

Linux can breath new life and functions into older computers.

How about the source code?

The correct way to make a patch is: take the source code, fix the bug, compile it, and ship as many of the executable files as necesarry. But does this third party have the source code? If they do, they probably have signed an agreement forbiding them to use it in this way. In some countries the law gives you an unwaivable right to fix bugs in software, but I'm not sure you would be allowed to share the fix with everybody in this way.

Here is an idea

How about this: If microsoft implemented a module in windows to block incomming packets based on some scripted rules, and block http connections in internet explorer based on similar rules, then everyone could develop instant band-aid patches for newfound exploits just by making and distributing new rulessets.

This could of course only be a workaround until a real patch is developed, but it would be beter than nothing and the chance of some new security hole or fatal bug introduced by a new ruleset are slim, so there would be little risk of deploying them instantly.

A similar module in an application such as word could block exploits for every fileformat that this application handles.

Comments? Would such a solution be workable? Could open source software use it to?

ZERT is why MS released an Out of Band Patch

I assert that, if ZERT hadn't shamed Microsoft into action it is very likely that MS would have probably let the exploit float around for a month before they patched for it.

Why oh why?

Why do these third-party groups release patches for proprietory software that they have to reverse engineer to understand? What kick do they get out of it?

I can understand when you devote your time to some OSS effort, but to MS? You can write viruses for their OS, release exploits, send them hatemail..but why help their victims when the only thanks you get are the kind of comments we've seen?

Official vs. unofficial

It's not a question of choosing between an official and an unofficial patch. It's choosing between an unofficial patch and no patch at all.

If the vendor acted more responsibly (i.e. patched vulnerabilities as soon as possible after they were reported, rather than sitting on its patches for up to a month), none of this would be an issue at all. I'm not asking for them to cut back on regression-testing, just make the patch, test the patch and release the patch--no matter what day of the month it is.

The "monthly patch cycle" is only a convenience for virus-writers, not users.

About untrusted binaries...

"I will not use the unofficial patch, nor can I think of anyone I would recommend it to," said Jesper Johansson, a former Microsoft security consultant now working at a Seattle-based online retailer. "Personally, I worry about putting unverified and untrusted binaries on my system, and about the likelihood that they are going to be any higher quality than the ones Microsoft releases."

And this, dear Johansson, is exactly why I, and many with me, will never trust neither your former employer's nor third party patchers' code. "[We] worry about putting unverified and untrusted binaries on [our] system[s]."
Give us the source under a sane license and we'll be able to verify that both Microsoft's and third party patchers' code is trustworthy.

Anti-virus software is just a 3rd party patch

...for security holes in an OS, and plenty of people install antivirius software.