Forgot your password?
typodupeerror

The Third-Party Patching Conundrum 63

Posted by kdawson
from the who-do-you-trust? dept.
An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."
This discussion has been archived. No new comments can be posted.

The Third-Party Patching Conundrum

Comments Filter:
  • by iMaple (769378) * on Sunday October 01, 2006 @08:12AM (#16264735)
    Well, third party patches are being used and deployed quite regularly in the FOSS world. In fact, this was one of the points the Mozilla people tried to highlight in their recent trademark dispute with debian (mainly accussing them of shoddy patches).

    It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it. I'll install a security third party patch by the debian devs but might think twice if it was by some one like Linspire (not because they are necessarily shoddier, just the question of trust).
    • by TubeSteak (669689)

      It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it.

      The conundrum is that they're trustworthy... right up until they screw you over.

      What everyone is secretly afraid of is that formerly trustworthy people decide: "we're going to trojan our next release, steal a shiatload of money/IDs/information and then flea to a non-extradition country."

      Sure, it's the kind of thing you see in the movies, but it could happen and you

      • The conundrum is that [third party open source developers, eg. Debian, are] trustworthy... right up until they screw you over.

        Well you don't need to trust them. If you've got the source you can just look at the source and the patch (and even the vulnerability if it was a full-disclosure list) and check it for yourself. Or if you're not a competent programmer, pay a programmer on your behalf to do the check.

        In many ways its funny to see the Windows closed-source-is-best Microsoft-is-always-right "com

  • by cerberusss (660701) on Sunday October 01, 2006 @08:18AM (#16264759) Homepage Journal
    I never understood the need for security analysts, patches and all that. Why can't they just install some sort of filter in the internet tubes and be done with it? Maybe a good time to write Senator Ted Stevens?
  • by xTantrum (919048)
    I could see arguments for both sides. microsoft's own patches can usally be automatically updated without going to another website, but at the same time these third party patches are usally quicker to be released and i have to wonder, is it not like open source in the sense that many people are working on the same problem?

    These people obviously know what they doing and to be quite honest with you, I like to choose whether or not i update my system with the latest patch that may slow down my computer or ins

    • by Baron_Yam (643147)
      For personal computers, that's the way I roll - I set auto update and walk away. Quite frankly, I'd rather have my computer F@*k up once in a blue moon than spend time doing full regression testing on a test platform I don't even have before moving to my prod system.

      I can rebuild my system from scratch if I need to in less time than I'd spend in a year of reviewing patches. When I get home, I want to check my email, Slashdot, Fark, some comics, etc... not be right back at work only without the pay.
      • by Cylix (55374)
        Indeed...

        Until Microsoft unleashes a torrent of pain upon your system...

        Ah yes, the unspoken one known only as WGA!

        The tormenter of souls has come and he knowns no end!

        Seriously, that drove me crazy when it was installed and I was so pleased when they finally removed it.

        Don't worry... the microsoft gnomes will bring you an even better treat in the future.... I guran'tee it.
    • I've never heard of them. For all I know, Claria could have changed its name to Zert. If this caught on, I'm sure all the companies that release fake anti-spyware software would get into the business of releasing third-party operating system patches. Maybe GooglePatch could close all the privacy holes and all you have to do is accept the agreement that it collects aggregate data of your operating system use and stores it for all time. And I guess we don't have to worry at all about some other part of the op
    • by Simon80 (874052)
      This attitude of not trusting these patches cause they might somehow slow down your system suggests that your Windows install likes to slow down on a whim.
  • As MS have a monopoly, then they should be forced to support the OSes or open-source them (their choice)

    Given the fact that huge numbers of Win2k and Win98 systems are, and will remain in use, they must be patched deliver homeland security.

    If MS won't release patches, surely it is incumbent on the US Government to force them to OpenSource them so that others can. The US government IS still supposed to deliver homeland security?

    • They could just tell everyone on 98 to switch to Linux+emulator.
    • by Macthorpe (960048)
      I believe the MS official line would be "No patches for old OSes because we have newer ones."

      By the way, using 'Homeland Security' as a reason to patch OSes is spurious. The government in the interests of security should always be up to date, so there is no reason for them to still be using Win98/2k. There's probably no reason for them to be using Windows at all. I use MS myself (I'm a gamer and Transgaming is still not an option) but I'd be happier if any government was using a more secure OS, or at least
      • There is still some software that may only work under 98 or 2000 and some times it may be a custom app that does not work well with newer os. There are also cnc systems that are still running 98 and they have custom cards in them for the cnc systems.
        • by DougInKY (896994)
          "There is still some software that may only work under 98 or 2000 and some times it may be a custom app that does not work well with newer os."

          All the more reason to transitation to Free Software/Open Source Software. Custom apps written using OSS in Linux/Unix wouldn't have to be rewritten when you upgrade your operating system. There are still apps in use in Linux/Unix that are older than some Slashdot readers. For example VI and Emacs are both old programs that that run well on modern operating systems.
    • by quiberon2 (986274)

      I don't expect anyone else would bother to maintain Windows09 and Windows2000. Anyone who can patch Win98 can maintain Linux more easily. Even if you had the source, the learning curve would be long and thankless.

      Besides, when you bought your Windows98 licence, it said on the packet what the end of service date was. Microsoft did pretty well to get within a month of it before deciding that it was not economically viable to repair.

  • It's getting more like a picture of who can deliver the best buggy-whips by the day. The rest of the world has moved on to cars and aeroplanes.

    I 'stabilised' my Microsoft Windows a while ago; I don't actually require any fixes, if it catches a virus and dies then that is just the way of the world. The next investment will be in a Sony Playstation.

    Any vendors who don't support it, I'm not buying what they have to sell.

  • I'll use them (Score:3, Interesting)

    by ancientt (569920) <ancientt@yahoo.com> on Sunday October 01, 2006 @08:32AM (#16264815) Homepage Journal
    I don't know anything about them, but when I get back to work on Monday I'm going to investigate with the hope I can use them to keep my old Windows installs secure. If they're doing patches for Windows 2000 then I practically have to at least look at the option. If Microsoft were reliable and didn't stop releasing security patches for "old" OSs, then I wouldn't need to.

    I hope this really irks the people at Microsoft that make the decisions on when to EOL something.

  • by King_TJ (85913) on Sunday October 01, 2006 @08:39AM (#16264833) Journal
    It seems like lately, every time MS takes "too long" to release a patch, someone rolls out an unofficial one - and then this debate rages on whether or not that's a "good thing".

    Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones.

    It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way. (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company. Despite MS's assertions, it's still not realistic to expect everybody to migrate fully to Windows XP/2003 Server. Even the relatively small (under 100 employees) business I work for is still running an NT 4.0 workstation that drives an old voice mail system for our phones.
    • by penix1 (722987)
      "Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones."

      I agree. At least those with unsupported OS's are given one more option than they started out with.

      "It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched a
    • (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company.

      The teacher for my PC Config and Repair class told us how they (at a place he used to work, I guess) had an NT4 server box running. It kept running the whole time. The only time it had down time was when they yanked and tossed it a few years ago.

      Not only that, but places like gas stations and some market places (cash registered mostly) still
    • The more people running old versions of their O/Ses, the greater the danger that someone else comes up with a really Windows Compatible O/S, and they end up like a BIOS manufacturer.

      For example, they are trying to come up with Vista. If it is too incompatible they might end up in the Intel Itanic vs AMD Opteron scenario. Where people look at the Itanic and say, if I want incompatible and fast, I might as well go IBM POWER, if I want compatible and fast, I go AMD.

      That is why if lots of people get Dell/HP etc
  • This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.

    Oh, so it's not a patch created by some guy in his basement. But what about some guy in his parents' basement?
  • Microsoft makes it purposedly hard to work with them.
    Their security is bad, and anything that encourage people to use their software is wrong.

    It encourage Microsoft to continue to work as they are.

    And therefore it actually lowers the global security of the Internet

    • [Patches] encourage Microsoft to continue to work as they are. ... encourage people to use their software ... And therefore it actually lowers the global security of the Internet

      That's true, and the reward is a M$ attack. M$ has shown no willingness to change, is hostile alternatives and claims that alternatives are impossible. "Third party patches" are just another competition for them to destroy.

      The arrogance is amazing. How can anyone cling to "official" patches for an OS that needs a new one e

      • by jb.hl.com (782137)
        You never change, do you twitter?

        [Microsoft] is hostile [to] alternatives

        Of course they fucking are! It's called "being a competitor"!

        "Third party patches" are just another competition for them to destroy.

        Yes. Of course, twitter.

        By the way, I and a few others were wondering whether you'd mind responding to this [slashdot.org], or maybe this [slashdot.org]. An admission that you were talking bullshit on that last one would be nice.
        • by twitter (104583)
          fuck off [slashdot.org].
          • by jb.hl.com (782137)
            no u [slashdot.org]. In that list you deliberately ignored the meaning of many of those posts and included many which weren't insulting or denigrating to you in the slightest in order to paint me as a "troll".
  • by farker haiku (883529) on Sunday October 01, 2006 @09:32AM (#16265027) Journal
    In other news, according to SANS, there is publicly available exploit code [milw0rm.com] out there for the new setSlice bug. According to Gadi Evron's post [securityfocus.com], "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable [sans.org]here [metasploit.com].
  • As far as I'm concerned, virus checkers, firewalls, all sorts of TSRs -- they're all patches. What's remarkable about a third party "OS patch"?

    There are hundreds (or thousands) of applications that might contain critical vulnerabilities.
  • Back in the good old days you would load a game on your Commodore 64 and prior to running it patch
    it in memory with the POKE command in Basic to get you unlimited lives etc. Some things most obviously
    never change, nowadays it seems you have to superpoke your windows box to keep it unowned.
  • Peanuts (Score:1, Insightful)

    by Anonymous Coward
    From the gallery:

    Peanut #1. If you are responsible for a data center or high reliability server or are within the standard support window, I do not recommend using a 3rd party patch. And I would go so far as to say that if MS server administrators were to do so at my company they would be fired. And the reason for this has nothing to do with security or vulnerability it is because if the server crashes after installing the patch you may need both the hardware and software vendors support. If you install
  • Um, if you use an unsupported OS like Win98 for something see if you can do that same thing with Linux. If that 98 machine is used as a print server Linux can do the same thing, it can serve as a server that handles tape backups of high priority data, as a cheap alternative to MS Exchange server with 3rd party open source software, and even an Intranet server for in-house websites.

    Linux can breath new life and functions into older computers.
  • The correct way to make a patch is: take the source code, fix the bug, compile it, and ship as many of the executable files as necesarry. But does this third party have the source code? If they do, they probably have signed an agreement forbiding them to use it in this way. In some countries the law gives you an unwaivable right to fix bugs in software, but I'm not sure you would be allowed to share the fix with everybody in this way.
  • How about this: If microsoft implemented a module in windows to block incomming packets based on some scripted rules, and block http connections in internet explorer based on similar rules, then everyone could develop instant band-aid patches for newfound exploits just by making and distributing new rulessets.

    This could of course only be a workaround until a real patch is developed, but it would be beter than nothing and the chance of some new security hole or fatal bug introduced by a new ruleset are slim,
  • I assert that, if ZERT hadn't shamed Microsoft into action it is very likely that MS would have probably let the exploit float around for a month before they patched for it.
  • Why do these third-party groups release patches for proprietory software that they have to reverse engineer to understand? What kick do they get out of it?

    I can understand when you devote your time to some OSS effort, but to MS? You can write viruses for their OS, release exploits, send them hatemail..but why help their victims when the only thanks you get are the kind of comments we've seen?
  • by Anonymous Coward
    It's not a question of choosing between an official and an unofficial patch. It's choosing between an unofficial patch and no patch at all.

    If the vendor acted more responsibly (i.e. patched vulnerabilities as soon as possible after they were reported, rather than sitting on its patches for up to a month), none of this would be an issue at all. I'm not asking for them to cut back on regression-testing, just make the patch, test the patch and release the patch--no matter what day of the month it is.

    The "mon
  • "I will not use the unofficial patch, nor can I think of anyone I would recommend it to," said Jesper Johansson, a former Microsoft security consultant now working at a Seattle-based online retailer. "Personally, I worry about putting unverified and untrusted binaries on my system, and about the likelihood that they are going to be any higher quality than the ones Microsoft releases."

    And this, dear Johansson, is exactly why I, and many with me, will never trust neither your former employer's nor third party
  • ...for security holes in an OS, and plenty of people install antivirius software.
    • When you work in an organization as large as the one I work in, (10's of thousands of windows desktops) and something like over 10,000 windows servers, you need the 'official' fix. Most of our desktops are patched automatically and our servers are patched per schedule. However, we test the patches as they are releasd from M$.
      I have wasted many a saturday doing MS-Patchathons because of an urgent fix that was rolled out. This is the way of things.
      If you are running an unsupported O/S like win98 then g

Facts are stubborn, but statistics are more pliable.

Working...