Third party fixes not a patch on Microsoft

Stan Beer
Monday, 02 October 2006 14:33

Business IT - Security

The debate has flared up once again about whether users should wait for an official Microsoft patch to a vulnerability in its software or take their chances with a third party patch as a temporary measure.

• Announcements

The highly publicised actions of a group of security professionals calling themselves ZERT (Zeroday Emergency Response Team) have brought the issue to the fore by issuing fixes for two separate vulnerabilities within two weeks.

The first patch issued by ZERT for an Internet Explorer and HTML email flaw involving Vector markup anguage (VML) may well have embarrassed Microsoft to issuing an official patch ahead of time last week, instead of waiting until Patch Tuesday on October 10.

ZERT then followed its initial patch with another patch this week for a vulnerability in the Windows Shell, which affects Windows 2000, Windows XP and windows 2003 Server. If exploited by visiting a malicious website using Internet Explorer the vulnerability could allow remote code execution on the user's computer.

With the number of exploits mounting and a third party again issuing its own fix to the flaw, Microsoft is once again considering issuing an official patch ahead of its normal Patch Tuesday cycle.

Both user and security communities are divided over whether third party vendors issuing patches to Windows and other Microsoft software is a good idea, with some saying a third party patch could itself introduce more problems than it fixes.

However, many agree that the increasing involvement of third party security vendors is putting increasing pressure on Microsoft to release patches faster and outside its usual monthly cycle.

Some say the monthly patching cycle is enabling attackers to time their zero day exploits to be released in the days immediately following Patch Tuesday, knowing that they have nearly a full month of a patch free vulnerability to work with.