Under Pressure...
Posted by jericho
Microsoft is finding themselves under increasing pressure to release fixes for critical vulnerabilities. This week, Microsoft broke from tradition again and opted to release and early fix for a critical Internet Explorer vulnerability. Since we’ve seen other critical vulnerabilities come up before this one, some of which were being exploited in the wild, why the change of policy? One factor that might be influencing this decision is the sudden availability of third-party patches. Back in March, eEye released an unofficial patch for the MSIE createTextRange() flaw which drew criticism and contempt from Microsoft. Windows/IE users were under no pressure to use the patch, but it gave some an alternative to disabling Active Scripting entirely.
This time around, we’re seeing multiple third parties come up with alternative patches that may help some companies while they wait for Microsoft to officially fix a vulnerability. This week the Internet Explorer setSlice vulnerability is being exploited in the wild with more than two weeks before Microsoft possibly releases a patch for it. With this reoccuring trend of critical vulnerabilities going unpatched for “too long”, a group of security professionals has created a new response team called ZERT to help consumers. Determina has also released a patch for the setSlice vulnerability, giving consumers even more choices in helping to mitigate the threat while waiting for Microsoft to patch.
With more and more third party patches available, will it pressure Microsoft to step up and break the monthly patch cycle more often? Will they realize that making patches available for critical vulnerabilities being exploited in the wild, even if not fully tested, is a better option than consumers finding themselves under the control of computer criminals and botnets? After all, we know that Microsoft is perfectly capable of producing fast patches when they think it is a serious issue.
http://www.eweek.com/article2/0,1895,2022366,00.asp
The emergence of a high-profile group of security professionals promising third-party software fixes during zero-day attacks has rekindled a debate on the merits - and risks - associated with deploying unsupported product updates.
The Zero Day Emergency Response Team, or ZERT, stepped out of stealth mode on Sept. 22 with a stopgap patch for a VML (Vector Markup Language) flaw that was the target of drive-by malware downloads - and, with a roster of well-respected security professionals on board, the concept of using a temporary fix ahead of Microsoft’s official update gained instant credibility.
Marcus Sachs, a former White House IT security expert who agreed to serve as corporate evangelist for the ZERT effort, said third-party mitigations will become even more important in what he describes as “a nasty zero-day world.”
[..]