Third-party patches: IT pros debate their worth

By Bill Brenner, Senior News Writer 28 Aug 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

In one presentation, Alexander Sotirov, a reverse engineer on the security research team at Redwood City, Calif.-based vulnerability protection firm Determina Inc., said third-party patching provides another security option for IT shops that need to block exploits before an official patch is developed, and that those patches are easy to uninstall after an official patch is released.

More on patch management Third-party patch management tools Third-party Microsoft patches may get new life

Sotirov did acknowledge that there are some disadvantages to third-party patching: There's limited support for multiple operating system versions and languages, and some vulnerabilities require extensive changes or redesign of the affected application and simply can't be hotpatched.

While some organizations might not hesitate to use a third-party fix if a threat is dire enough, IT professionals interviewed by SearchSecurity.com after Black Hat said they would never deploy one in their own environments.

"Third-party patching is potentially another area of vulnerability in my opinion," said Jessica Lynne Verzi, information security manager for ESL Federal Credit Union, a financial institution with 550 employees, 17 branches and numerous ATM locations in the Rochester, N.Y.-area. "It's very reactive and very dangerous to install one."

Third-party patches were released for two different Microsoft threats earlier this year.

In January, Russian programmer Ilfak Guilfanov made a patch available to address the widely exploited Windows Meta File glitch Microsoft ultimately patched.

In March, Determina and Aliso Viejo, Calif.-based eEye Digital Security Inc. released third-party patches for the createTextRange flaw involving Internet Explorer, which Microsoft patched in its April security bulletins.

In both cases, reaction was mixed in the information security community. With WMF and, to a lesser extent, createTextRange being widely exploited, some argued a third-party fix was better than nothing. Others warned that patches can never be fully trusted unless they come straight from the vendor of the affected product.

Verzi didn't lose any sleep over those threats because she said ESL Federal Credit Union utilizes a variety of security measures that would make it very difficult for attackers to successfully target an organization using those flaws.

Verzi said enterprises that practice so-called defense in-depth have the necessary security in place to mitigate threats that exploit zero-day flaws and can therefore afford to wait for the official patch.

Craig Hunter, IT manager for the City of North Vancouver, said organizations that have such a security program can afford to wait a few weeks for an official patch.

"Third-party patching is more trouble than it's worth," he said, agreeing with Verzi that it can potentially introduce more vulnerabilities to the network. "Using a mitigation strategy like blocking certain ports or shutting certain programs is the better solution. The user may have to go without a feature for a week, but it's better than taking a risk with a third-party fix that you then have to go and uninstall before installing the real patch."

Keith Gosselin, IT officer for Biddeford Savings Bank in Biddeford, Maine, is also concerned about how his applications would work if he ever tried to install a third-party patch.

"Applications are so finicky, I'd be worried about an application exploding in my face," said Gosselin, whose company has 70 employees and three bank branches, with a fourth opening in September.

Like the others, Gosselin preaches the virtues of a well-rounded defense, and said he makes a point of educating employees on the potential consequences of their computing habits.

"I do spend a lot of time keeping track of zero-day threats so I'm aware of out-of-cycle fixes," he said. "I want to know when there's an exploit so I can email users and warn them to be careful."

For example, during the recent PowerPoint threat, he sent out an email warning employees not to open PowerPoint attachments unless they are expecting one from a trusted source.

He supplements urgent warnings with routine emails about every other month that ask people to be careful when opening attachments. "If you get a file from someone you know that you weren't expecting, I tell them to call that person before opening the attachment," he said.

With these practices in place, he said, there's never a need to use a third-party patch.

To those who argue that patches can't be trusted unless they come from the vendor of the affected program, Determina's Sotirov told his Black Hat audience, "Most software vendors have a long record of shipping vulnerable software. If we trust them, there is no reason not to trust a third-party patch from a well-known security expert or a security company."

Furthermore, he said, "Third-party patches are ideal for situations where the risk of a system compromise outweighs the risk of interoperability issues."

This article originally appeared on SearchSecurity.com.

Tags: Information security management for the midmarket,  Risk management for the midmarket,  Security tools for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Risk management for the midmarket Using key risk indicators to sell your information security program Gartner: Vetting security of third-party partners in five steps Security and risk management in the midmarket Identity and access management planning guide for the midmarket Get smart about patching security vulnerabilities Log management tool saves big on network fixes, integrates with IPS Unified communications: Securing access to OCS Disaster recovery and business continuity planning: Know the risks Database security: Who should have access? San Francisco network lockup justifies CIO fears Security tools for the midmarket IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it? Database security: Who should have access? San Francisco network lockup justifies CIO fears

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary