Fast exploits of flaws test Microsoft's patching policy

The growing number of zero-day exploits seeking to take advantage of unpatched security flaws in Microsoft's products is exposing some of the limitations of the company's monthly software update schedule, IT managers and analysts said last week.

Even so, they added, it may be better in most cases for corporate users to wait for Microsoft's official updates instead of installing interim patches released by third-party developers as a stopgap measure.

Robert Olson, a systems administrator at Uline said he would like to see Microsoft issue supplemental fixes for unpatched vulnerabilities that are actively being exploited, such as a flaw in Internet Explorer that malicious hackers were targeting for attacks last week.

At the same time, Olson said that Uline, a distributor of packaging and shipping materials, has no intention of using third-party patches to plug security holes, no matter how critical they are.

"Our opinion is that you open yourself to greater threats," he said, citing fears that a third-party patch could disrupt production applications, leaving users to resolve the problems without help from Microsoft.

Relying on third-party fixes "is another example of people getting overly focused on patches and not paying attention to other compensating controls" for mitigating security risks, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry.

Hession said he thinks that for an IT manager to even consider installing a third-party patch, "the risks to your environment have to be severe and hard to mitigate by any other means."

The debate about the wisdom of using third-party patches was renewed last week amid considerable concern that the flaw in IE could be used by hackers to take complete control of vulnerable systems. Fueling the concerns was the public availability of sample attack code, as well as reports by Websense that more than 200 malicious Web sites had been set up to try to exploit the flaw.

Microsoft said it planned to issue a patch for the flaw as part of its next monthly update release on April 11, although the company added that it would act sooner if warranted.

Two security software vendors, Determina in Redwood City, Calif., and eEye Digital Security in Aliso Viejo, Calif., stepped into the breach and released interim fixes for users who didn't want to wait for Microsoft's patch.

It was the second time this year that third-party developers have released patches for zero-day flaws ahead of Microsoft. In January, a programmer in Belgium named Ilfak Guilfanov issued a patch designed to provide a temporary fix for the Windows Metafile flaw, a far more serious vulnerability that did eventually prompt Microsoft to release an out-of-cycle patch.

Although unofficial patches can be useful in some cases, it's unlikely that many businesses -- especially larger ones -- will deploy them, said Andrew Jacquith, an analyst at Yankee Group Research in Boston. Most IT managers "would really rather wait" than run the risk of implementing an untested patch, he said.

Bill Cassada, enterprise network administrator at Healthways, a health care services company in Nashville, said that work-arounds are often available to help users mitigate the risks of unpatched flaws. With the latest vulnerability, for instance, all that needs to be done to protect systems is to turn off the Active Scripting function in IE, Cassada said.

Quality concerns

Microsoft is looking at ways to provide speedier fixes for zero-day flaws, said Stephen Toulouse, security program manager at the company's Security Response Center. But, he added, "there are some huge challenges to that."

First and foremost is the issue of quality control, Toulouse said. Microsoft must ensure that its updates work properly and support a wide range of platforms. "We can't leave anybody behind," he said. "And unfortunately, [a patch] might be introducing new problems. So whenever we look at even a quick hack, it's got to be of quality."

PatchLink, a vendor of patch management software, surveyed 250 IT managers in February. More than 60 percent said they would like software vendors to release patches immediately when exploit code is in the wild. But the survey also showed that many IT professionals remain skeptical about using third-party patches, according to PatchLink.

In January, PatchLink made Guilfanov's WMF patch available to its customers. "About 25 percent downloaded it and took a look at it," including several large government organizations, said Chris Andrew, PatchLink's vice president of security technologies. But in the end, he said, the number of companies that implemented the patch "was probably limited to a handful."

Robert McMillan of the IDG News Service contributed to this story.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?