Slashdot Mirror
The Third-Party Patching Conundrum
An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."
Well, third party patches are being used and deployed quite regularly in the FOSS world. In fact, this was one of the points the Mozilla people tried to highlight in their recent trademark dispute with debian (mainly accussing them of shoddy patches).
It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it. I'll install a security third party patch by the debian devs but might think twice if it was by some one like Linspire (not because they are necessarily shoddier, just the question of trust).
I never understood the need for security analysts, patches and all that. Why can't they just install some sort of filter in the internet tubes and be done with it? Maybe a good time to write Senator Ted Stevens?
8 of 13 people found this answer helpful. Did you?
I hope this really irks the people at Microsoft that make the decisions on when to EOL something.
B) Eliminate all the stupid users. This is frowned upon by society.
It seems like lately, every time MS takes "too long" to release a patch, someone rolls out an unofficial one - and then this debate rages on whether or not that's a "good thing".
Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones.
It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way. (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company. Despite MS's assertions, it's still not realistic to expect everybody to migrate fully to Windows XP/2003 Server. Even the relatively small (under 100 employees) business I work for is still running an NT 4.0 workstation that drives an old voice mail system for our phones.
If we put filters on the tubes, they'll just clog up faster.
I don't know about you, but my e-mails don't travel that well when they're clogged..
What do you think the word "a" means?
In other news, according to SANS, there is publicly available exploit code out there for the new setSlice bug. According to Gadi Evron's post, "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable here.
Your sig(k) has been stolen. There is a puff of smoke!