Fast exploits of flaws test Microsoft's patching policy

The growing number of zero-day exploits seeking to take advantage of unpatched security flaws in Microsoft's products is exposing some of the limitations of the company's monthly software update schedule, IT managers and analysts said last week.

Even so, they added, it may be better in most cases for corporate users to wait for Microsoft's official updates instead of installing interim patches released by third-party developers as a stopgap measure.

Robert Olson, a systems administrator at Uline said he would like to see Microsoft issue supplemental fixes for unpatched vulnerabilities that are actively being exploited, such as a flaw in Internet Explorer that malicious hackers were targeting for attacks last week.

At the same time, Olson said that Uline, a distributor of packaging and shipping materials, has no intention of using third-party patches to plug security holes, no matter how critical they are.

"Our opinion is that you open yourself to greater threats," he said, citing fears that a third-party patch could disrupt production applications, leaving users to resolve the problems without help from Microsoft.

Relying on third-party fixes "is another example of people getting overly focused on patches and not paying attention to other compensating controls" for mitigating security risks, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry.

Hession said he thinks that for an IT manager to even consider installing a third-party patch, "the risks to your environment have to be severe and hard to mitigate by any other means."

The debate about the wisdom of using third-party patches was renewed last week amid considerable concern that the flaw in IE could be used by hackers to take complete control of vulnerable systems. Fueling the concerns was the public availability of sample attack code, as well as reports by Websense that more than 200 malicious Web sites had been set up to try to exploit the flaw.

Microsoft said it planned to issue a patch for the flaw as part of its next monthly update release on April 11, although the company added that it would act sooner if warranted.

Two security software vendors, Determina in Redwood City, Calif., and eEye Digital Security in Aliso Viejo, Calif., stepped into the breach and released interim fixes for users who didn't want to wait for Microsoft's patch.

It was the second time this year that third-party developers have released patches for zero-day flaws ahead of Microsoft. In January, a programmer in Belgium named Ilfak Guilfanov issued a patch designed to provide a temporary fix for the Windows Metafile flaw, a far more serious vulnerability that did eventually prompt Microsoft to release an out-of-cycle patch.

Although unofficial patches can be useful in some cases, it's unlikely that many businesses -- especially larger ones -- will deploy them, said Andrew Jacquith, an analyst at Yankee Group Research in Boston. Most IT managers "would really rather wait" than run the risk of implementing an untested patch, he said.

Bill Cassada, enterprise network administrator at Healthways, a health care services company in Nashville, said that work-arounds are often available to help users mitigate the risks of unpatched flaws. With the latest vulnerability, for instance, all that needs to be done to protect systems is to turn off the Active Scripting function in IE, Cassada said.

Quality concerns

Microsoft is looking at ways to provide speedier fixes for zero-day flaws, said Stephen Toulouse, security program manager at the company's Security Response Center. But, he added, "there are some huge challenges to that."

First and foremost is the issue of quality control, Toulouse said. Microsoft must ensure that its updates work properly and support a wide range of platforms. "We can't leave anybody behind," he said. "And unfortunately, [a patch] might be introducing new problems. So whenever we look at even a quick hack, it's got to be of quality."

PatchLink, a vendor of patch management software, surveyed 250 IT managers in February. More than 60 percent said they would like software vendors to release patches immediately when exploit code is in the wild. But the survey also showed that many IT professionals remain skeptical about using third-party patches, according to PatchLink.

In January, PatchLink made Guilfanov's WMF patch available to its customers. "About 25 percent downloaded it and took a look at it," including several large government organizations, said Chris Andrew, PatchLink's vice president of security technologies. But in the end, he said, the number of companies that implemented the patch "was probably limited to a handful."

Robert McMillan of the IDG News Service contributed to this story.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?