Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×

The Third-Party Patching Conundrum 63

Posted by kdawson from the who-do-you-trust? dept.
An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."
This discussion has been archived. No new comments can be posted.

The Third-Party Patching Conundrum More

The Third-Party Patching Conundrum

Comments Filter:

  • The important question is: Who is the third party? (Score:5, Insightful)

    by iMaple ( 769378 ) * on Sunday October 01, 2006 @08:12AM (#16264735)
    Well, third party patches are being used and deployed quite regularly in the FOSS world. In fact, this was one of the points the Mozilla people tried to highlight in their recent trademark dispute with debian (mainly accussing them of shoddy patches).

    It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it. I'll install a security third party patch by the debian devs but might think twice if it was by some one like Linspire (not because they are necessarily shoddier, just the question of trust).

  • Peanuts (Score:1, Insightful)

    by Anonymous Coward on Sunday October 01, 2006 @10:08AM (#16265203)
    From the gallery:

    Peanut #1. If you are responsible for a data center or high reliability server or are within the standard support window, I do not recommend using a 3rd party patch. And I would go so far as to say that if MS server administrators were to do so at my company they would be fired. And the reason for this has nothing to do with security or vulnerability it is because if the server crashes after installing the patch you may need both the hardware and software vendors support. If you install a 3rd party patch on these servers and run into a problem you will more than likely be S.O.L.

    Peanut #2: That said let's look at Microsoft OS's outside of the Microsoft support umbrella. Almost every company has a few legacy machines still floating around filling various niche functions. In this case, 3rd party software patches, isolation from the network, firewalls, and IP Filters are really your only options.

    -The gallery

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close