The Third-Party Patching Conundrum 63
An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."
The important question is: Who is the third party? (Score:5, Insightful)
It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it. I'll install a security third party patch by the debian devs but might think twice if it was by some one like Linspire (not because they are necessarily shoddier, just the question of trust).
Re: (Score:2)
The conundrum is that they're trustworthy... right up until they screw you over.
What everyone is secretly afraid of is that formerly trustworthy people decide: "we're going to trojan our next release, steal a shiatload of money/IDs/information and then flea to a non-extradition country."
Sure, it's the kind of thing you see in the movies, but it could happen and you
Re: (Score:1)
The conundrum is that [third party open source developers, eg. Debian, are] trustworthy... right up until they screw you over.
Well you don't need to trust them. If you've got the source you can just look at the source and the patch (and even the vulnerability if it was a full-disclosure list) and check it for yourself. Or if you're not a competent programmer, pay a programmer on your behalf to do the check.
In many ways its funny to see the Windows closed-source-is-best Microsoft-is-always-right "com
Filters in the tubes (Score:5, Funny)
Clogged.. (Score:2, Funny)
I don't know about you, but my e-mails don't travel that well when they're clogged..
Re: (Score:1)
Re: (Score:2)
http://en.wikipedia.org/wiki/Series_of_tubes [wikipedia.org]
Re: (Score:2)
Wikipedia [wikipedia.org]
No M$ bashing here... (Score:1, Interesting)
These people obviously know what they doing and to be quite honest with you, I like to choose whether or not i update my system with the latest patch that may slow down my computer or ins
Re: (Score:2)
I can rebuild my system from scratch if I need to in less time than I'd spend in a year of reviewing patches. When I get home, I want to check my email, Slashdot, Fark, some comics, etc... not be right back at work only without the pay.
Re: (Score:2)
Until Microsoft unleashes a torrent of pain upon your system...
Ah yes, the unspoken one known only as WGA!
The tormenter of souls has come and he knowns no end!
Seriously, that drove me crazy when it was installed and I was so pleased when they finally removed it.
Don't worry... the microsoft gnomes will bring you an even better treat in the future.... I guran'tee it.
Re: (Score:1)
Re: (Score:2)
FOSS required for homeland security (Score:1, Redundant)
Given the fact that huge numbers of Win2k and Win98 systems are, and will remain in use, they must be patched deliver homeland security.
If MS won't release patches, surely it is incumbent on the US Government to force them to OpenSource them so that others can. The US government IS still supposed to deliver homeland security?
Re: (Score:2)
Re: (Score:1)
By the way, using 'Homeland Security' as a reason to patch OSes is spurious. The government in the interests of security should always be up to date, so there is no reason for them to still be using Win98/2k. There's probably no reason for them to be using Windows at all. I use MS myself (I'm a gamer and Transgaming is still not an option) but I'd be happier if any government was using a more secure OS, or at least
Re: (Score:1)
Re: (Score:1)
All the more reason to transitation to Free Software/Open Source Software. Custom apps written using OSS in Linux/Unix wouldn't have to be rewritten when you upgrade your operating system. There are still apps in use in Linux/Unix that are older than some Slashdot readers. For example VI and Emacs are both old programs that that run well on modern operating systems.
Re: (Score:1)
I don't expect anyone else would bother to maintain Windows09 and Windows2000. Anyone who can patch Win98 can maintain Linux more easily. Even if you had the source, the learning curve would be long and thankless.
Besides, when you bought your Windows98 licence, it said on the packet what the end of service date was. Microsoft did pretty well to get within a month of it before deciding that it was not economically viable to repair.
Better buggy-whips ? (Score:1)
I 'stabilised' my Microsoft Windows a while ago; I don't actually require any fixes, if it catches a virus and dies then that is just the way of the world. The next investment will be in a Sony Playstation.
Any vendors who don't support it, I'm not buying what they have to sell.
I'll use them (Score:3, Interesting)
I hope this really irks the people at Microsoft that make the decisions on when to EOL something.
Simply patching obsolete OS's would be more useful (Score:4, Informative)
Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones.
It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way. (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company. Despite MS's assertions, it's still not realistic to expect everybody to migrate fully to Windows XP/2003 Server. Even the relatively small (under 100 employees) business I work for is still running an NT 4.0 workstation that drives an old voice mail system for our phones.
Re: (Score:2)
I agree. At least those with unsupported OS's are given one more option than they started out with.
"It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched a
Re:Simply patching obsolete OS's would be more use (Score:1)
The teacher for my PC Config and Repair class told us how they (at a place he used to work, I guess) had an NT4 server box running. It kept running the whole time. The only time it had down time was when they yanked and tossed it a few years ago.
Not only that, but places like gas stations and some market places (cash registered mostly) still
Microsoft would really hate that. (Score:2)
For example, they are trying to come up with Vista. If it is too incompatible they might end up in the Intel Itanic vs AMD Opteron scenario. Where people look at the Itanic and say, if I want incompatible and fast, I might as well go IBM POWER, if I want compatible and fast, I go AMD.
That is why if lots of people get Dell/HP etc
sliding scale (Score:2, Funny)
Oh, so it's not a patch created by some guy in his basement. But what about some guy in his parents' basement?
Re: (Score:3, Funny)
What do you think the word "a" means?
Re: (Score:2)
Providing Patches for Microsoft is Wrong (Score:2, Redundant)
Their security is bad, and anything that encourage people to use their software is wrong.
It encourage Microsoft to continue to work as they are.
And therefore it actually lowers the global security of the Internet
Wrong and Urewarding. (Score:2)
[Patches] encourage Microsoft to continue to work as they are. ... encourage people to use their software ... And therefore it actually lowers the global security of the Internet
That's true, and the reward is a M$ attack. M$ has shown no willingness to change, is hostile alternatives and claims that alternatives are impossible. "Third party patches" are just another competition for them to destroy.
The arrogance is amazing. How can anyone cling to "official" patches for an OS that needs a new one e
Re: (Score:2)
[Microsoft] is hostile [to] alternatives
Of course they fucking are! It's called "being a competitor"!
"Third party patches" are just another competition for them to destroy.
Yes. Of course, twitter.
By the way, I and a few others were wondering whether you'd mind responding to this [slashdot.org], or maybe this [slashdot.org]. An admission that you were talking bullshit on that last one would be nice.
Re: (Score:2)
Re: (Score:2)
And for the new setSlice (Score:3, Informative)
Re: (Score:2)
exploit code [milw0rm.com]
Gadi Evron's post on Bugtraq [securityfocus.com]
Third party fix [sans.org].
See if you are vulnerable. [metasploit.com]
So what? (Score:2)
There are hundreds (or thousands) of applications that might contain critical vulnerabilities.
superpokes: nothing new under the sun. (Score:1)
it in memory with the POKE command in Basic to get you unlimited lives etc. Some things most obviously
never change, nowadays it seems you have to superpoke your windows box to keep it unowned.
Peanuts (Score:1, Insightful)
Peanut #1. If you are responsible for a data center or high reliability server or are within the standard support window, I do not recommend using a 3rd party patch. And I would go so far as to say that if MS server administrators were to do so at my company they would be fired. And the reason for this has nothing to do with security or vulnerability it is because if the server crashes after installing the patch you may need both the hardware and software vendors support. If you install
This should be obvious (Score:1, Offtopic)
Linux can breath new life and functions into older computers.
How about the source code? (Score:2)
Here is an idea (Score:2)
This could of course only be a workaround until a real patch is developed, but it would be beter than nothing and the chance of some new security hole or fatal bug introduced by a new ruleset are slim,
Re: (Score:2)
ZERT is why MS released an Out of Band Patch (Score:2)
Why oh why? (Score:1)
I can understand when you devote your time to some OSS effort, but to MS? You can write viruses for their OS, release exploits, send them hatemail..but why help their victims when the only thanks you get are the kind of comments we've seen?
Re: (Score:1)
A lot of people have the power to mitigate MS problems, but that doesn't mean we should spend our free time helping a company that already makes far more money than it deserves, just because it is popular. If the users want to stick with it, let them.
There are some situations where charity doesn't apply.
Re: (Score:1)
It's more like stopping to help with a car model that Hyundai doesn't support anymore even though it's in heavy use, so if Bob walks away the poor schmuck will discover why so many people are pissed at the company.
Finally, they may have a point, but life is too short. Too many th
Re: (Score:1)
And with this humbling thought, I go off to bed a happier man than I ever was.
Official vs. unofficial (Score:1)
If the vendor acted more responsibly (i.e. patched vulnerabilities as soon as possible after they were reported, rather than sitting on its patches for up to a month), none of this would be an issue at all. I'm not asking for them to cut back on regression-testing, just make the patch, test the patch and release the patch--no matter what day of the month it is.
The "mon
About untrusted binaries... (Score:2)
And this, dear Johansson, is exactly why I, and many with me, will never trust neither your former employer's nor third party
Anti-virus software is just a 3rd party patch (Score:2)
Re: (Score:1)
I have wasted many a saturday doing MS-Patchathons because of an urgent fix that was rolled out. This is the way of things.
If you are running an unsupported O/S like win98 then g