The Third-Party Patching Conundrum

An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."

Simply patching obsolete OS's would be more useful

[King_TJ]

It seems like lately, every time MS takes "too long" to release a patch, someone rolls out an unofficial one - and then this debate rages on whether or not that's a "good thing".

Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones.

It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way. (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company. Despite MS's assertions, it's still not realistic to expect everybody to migrate fully to Windows XP/2003 Server. Even the relatively small (under 100 employees) business I work for is still running an NT 4.0 workstation that drives an old voice mail system for our phones.

And for the new setSlice

[farker haiku]

In other news, according to SANS, there is publicly available exploit code [milw0rm.com] out there for the new setSlice bug. According to Gadi Evron's post [securityfocus.com], "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable [sans.org]here [metasploit.com].