Slashdot Mirror
The Third-Party Patching Conundrum
An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."
Well, third party patches are being used and deployed quite regularly in the FOSS world. In fact, this was one of the points the Mozilla people tried to highlight in their recent trademark dispute with debian (mainly accussing them of shoddy patches).
It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it. I'll install a security third party patch by the debian devs but might think twice if it was by some one like Linspire (not because they are necessarily shoddier, just the question of trust).
I never understood the need for security analysts, patches and all that. Why can't they just install some sort of filter in the internet tubes and be done with it? Maybe a good time to write Senator Ted Stevens?
8 of 13 people found this answer helpful. Did you?
These people obviously know what they doing and to be quite honest with you, I like to choose whether or not i update my system with the latest patch that may slow down my computer or install sh*t i don't need. However thats for computer savy inidividuals like myself. however i don't see this really happening with the mass. People will just turn on automatic updates and click on that irritating flashing icon in the system tray. Who cares what it is, its obviously from m$ so it must be needed - so the thinking goes.
$action = empty(PHP) ? backToC() : unset(PHP) ; "when the concrete cases are understood, the abstractions are readily
Given the fact that huge numbers of Win2k and Win98 systems are, and will remain in use, they must be patched deliver homeland security.
If MS won't release patches, surely it is incumbent on the US Government to force them to OpenSource them so that others can. The US government IS still supposed to deliver homeland security?
Sent from my ASR33 using ASCII
I 'stabilised' my Microsoft Windows a while ago; I don't actually require any fixes, if it catches a virus and dies then that is just the way of the world. The next investment will be in a Sony Playstation.
Any vendors who don't support it, I'm not buying what they have to sell.
I hope this really irks the people at Microsoft that make the decisions on when to EOL something.
B) Eliminate all the stupid users. This is frowned upon by society.
It seems like lately, every time MS takes "too long" to release a patch, someone rolls out an unofficial one - and then this debate rages on whether or not that's a "good thing".
Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones.
It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way. (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company. Despite MS's assertions, it's still not realistic to expect everybody to migrate fully to Windows XP/2003 Server. Even the relatively small (under 100 employees) business I work for is still running an NT 4.0 workstation that drives an old voice mail system for our phones.
This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.
Oh, so it's not a patch created by some guy in his basement. But what about some guy in his parents' basement?
Push Button, Receive Bacon
If we put filters on the tubes, they'll just clog up faster.
I don't know about you, but my e-mails don't travel that well when they're clogged..
What everyone is secretly afraid of is that formerly trustworthy people decide: "we're going to trojan our next release, steal a shiatload of money/IDs/information and then flea to a non-extradition country."
Sure, it's the kind of thing you see in the movies, but it could happen and you only have to get burned once for it to be a disaster.
[Fuck Beta]
o0t!
Microsoft makes it purposedly hard to work with them.
Their security is bad, and anything that encourage people to use their software is wrong.
It encourage Microsoft to continue to work as they are.
And therefore it actually lowers the global security of the Internet
The conundrum is that [third party open source developers, eg. Debian, are] trustworthy... right up until they screw you over.
Well you don't need to trust them. If you've got the source you can just look at the source and the patch (and even the vulnerability if it was a full-disclosure list) and check it for yourself. Or if you're not a competent programmer, pay a programmer on your behalf to do the check.
In many ways its funny to see the Windows closed-source-is-best Microsoft-is-always-right "community" acting this way. They can't see that it's obviously better in this case to have source, and third-party patches (with source) are clearly better for everyone.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
In other news, according to SANS, there is publicly available exploit code out there for the new setSlice bug. According to Gadi Evron's post, "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable here.
Your sig(k) has been stolen. There is a puff of smoke!
Agreed, wish I had my mod points. I don't see why we should encourage Microsoft. Sure, people have bet their businesses on their software as well and may stand to lose a lot if they're not patched, but that's something we shouldn't encourage either. They should use the best software for the job, but they're not because someone else is covering their ass.
As far as I'm concerned, virus checkers, firewalls, all sorts of TSRs -- they're all patches. What's remarkable about a third party "OS patch"?
There are hundreds (or thousands) of applications that might contain critical vulnerabilities.
"Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones."
I agree. At least those with unsupported OS's are given one more option than they started out with.
"It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way."
The moment these 3rd party patches start to outdo Windows Update, expect the lawsuits to fly. Microsoft uses Windows Update for more than updates. WGA is one example of using the update mechanism for ulterior motives. Consider also, the whole reason for EOL is to force users to upgrade rather than continue to use their existing OS. Cut off that reason and Microsoft will surely see you as a threat to their business model.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
Back in the good old days you would load a game on your Commodore 64 and prior to running it patch
it in memory with the POKE command in Basic to get you unlimited lives etc. Some things most obviously
never change, nowadays it seems you have to superpoke your windows box to keep it unowned.
From the gallery:
Peanut #1. If you are responsible for a data center or high reliability server or are within the standard support window, I do not recommend using a 3rd party patch. And I would go so far as to say that if MS server administrators were to do so at my company they would be fired. And the reason for this has nothing to do with security or vulnerability it is because if the server crashes after installing the patch you may need both the hardware and software vendors support. If you install a 3rd party patch on these servers and run into a problem you will more than likely be S.O.L.
Peanut #2: That said let's look at Microsoft OS's outside of the Microsoft support umbrella. Almost every company has a few legacy machines still floating around filling various niche functions. In this case, 3rd party software patches, isolation from the network, firewalls, and IP Filters are really your only options.
-The gallery
Um, if you use an unsupported OS like Win98 for something see if you can do that same thing with Linux. If that 98 machine is used as a print server Linux can do the same thing, it can serve as a server that handles tape backups of high priority data, as a cheap alternative to MS Exchange server with 3rd party open source software, and even an Intranet server for in-house websites.
Linux can breath new life and functions into older computers.
Michael "TheZorch" Haney
thezorch@gmail.com
http://thezorch.googlepages.com/home
The correct way to make a patch is: take the source code, fix the bug, compile it, and ship as many of the executable files as necesarry. But does this third party have the source code? If they do, they probably have signed an agreement forbiding them to use it in this way. In some countries the law gives you an unwaivable right to fix bugs in software, but I'm not sure you would be allowed to share the fix with everybody in this way.
Do you care about the security of your wireless mouse?
How about this: If microsoft implemented a module in windows to block incomming packets based on some scripted rules, and block http connections in internet explorer based on similar rules, then everyone could develop instant band-aid patches for newfound exploits just by making and distributing new rulessets.
This could of course only be a workaround until a real patch is developed, but it would be beter than nothing and the chance of some new security hole or fatal bug introduced by a new ruleset are slim, so there would be little risk of deploying them instantly.
A similar module in an application such as word could block exploits for every fileformat that this application handles.
Comments? Would such a solution be workable? Could open source software use it to?
I assert that, if ZERT hadn't shamed Microsoft into action it is very likely that MS would have probably let the exploit float around for a month before they patched for it.
Free Software: Like love, it grows best when given away.
Why do these third-party groups release patches for proprietory software that they have to reverse engineer to understand? What kick do they get out of it?
I can understand when you devote your time to some OSS effort, but to MS? You can write viruses for their OS, release exploits, send them hatemail..but why help their victims when the only thanks you get are the kind of comments we've seen?
It's not a question of choosing between an official and an unofficial patch. It's choosing between an unofficial patch and no patch at all.
If the vendor acted more responsibly (i.e. patched vulnerabilities as soon as possible after they were reported, rather than sitting on its patches for up to a month), none of this would be an issue at all. I'm not asking for them to cut back on regression-testing, just make the patch, test the patch and release the patch--no matter what day of the month it is.
The "monthly patch cycle" is only a convenience for virus-writers, not users.
[Patches] encourage Microsoft to continue to work as they are. ... encourage people to use their software ... And therefore it actually lowers the global security of the Internet
That's true, and the reward is a M$ attack. M$ has shown no willingness to change, is hostile alternatives and claims that alternatives are impossible. "Third party patches" are just another competition for them to destroy.
The arrogance is amazing. How can anyone cling to "official" patches for an OS that needs a new one every month? From a user perspective, it's kind of like saying, "I use the worst brand possible and only the worst is good enough for my organization." The defensive position M$ is taking needs no further analysis.
Real alternatives are the answer.
Friends don't help friends install M$ junk.
"I will not use the unofficial patch, nor can I think of anyone I would recommend it to," said Jesper Johansson, a former Microsoft security consultant now working at a Seattle-based online retailer. "Personally, I worry about putting unverified and untrusted binaries on my system, and about the likelihood that they are going to be any higher quality than the ones Microsoft releases."
And this, dear Johansson, is exactly why I, and many with me, will never trust neither your former employer's nor third party patchers' code. "[We] worry about putting unverified and untrusted binaries on [our] system[s]."
Give us the source under a sane license and we'll be able to verify that both Microsoft's and third party patchers' code is trustworthy.
May we live long and die out
...for security holes in an OS, and plenty of people install antivirius software.
These posts express my own personal views, not those of my employer
(I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company.
The teacher for my PC Config and Repair class told us how they (at a place he used to work, I guess) had an NT4 server box running. It kept running the whole time. The only time it had down time was when they yanked and tossed it a few years ago.
Not only that, but places like gas stations and some market places (cash registered mostly) still use DOS front-ends and back ends. Most of those machines are either A) secure because they run behind a firewall using ancient software, or B) aren't connected to the Internet in the first place and aren't very viable targets. In both cases, a software upgrade is hardly necessary.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
The more people running old versions of their O/Ses, the greater the danger that someone else comes up with a really Windows Compatible O/S, and they end up like a BIOS manufacturer.
For example, they are trying to come up with Vista. If it is too incompatible they might end up in the Intel Itanic vs AMD Opteron scenario. Where people look at the Itanic and say, if I want incompatible and fast, I might as well go IBM POWER, if I want compatible and fast, I go AMD.
That is why if lots of people get Dell/HP etc to skip the Vista preload and preload XP instead, Microsoft could have big problems, even if Linux is not being preloaded.