Fast exploits of flaws test Microsoft's patching policy

The growing number of zero-day exploits seeking to take advantage of unpatched security flaws in Microsoft's products is exposing some of the limitations of the company's monthly software update schedule, IT managers and analysts said last week.

Even so, they added, it may be better in most cases for corporate users to wait for Microsoft's official updates instead of installing interim patches released by third-party developers as a stopgap measure.

Robert Olson, a systems administrator at Uline said he would like to see Microsoft issue supplemental fixes for unpatched vulnerabilities that are actively being exploited, such as a flaw in Internet Explorer that malicious hackers were targeting for attacks last week.

At the same time, Olson said that Uline, a distributor of packaging and shipping materials, has no intention of using third-party patches to plug security holes, no matter how critical they are.

"Our opinion is that you open yourself to greater threats," he said, citing fears that a third-party patch could disrupt production applications, leaving users to resolve the problems without help from Microsoft.

Relying on third-party fixes "is another example of people getting overly focused on patches and not paying attention to other compensating controls" for mitigating security risks, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry.

Hession said he thinks that for an IT manager to even consider installing a third-party patch, "the risks to your environment have to be severe and hard to mitigate by any other means."

The debate about the wisdom of using third-party patches was renewed last week amid considerable concern that the flaw in IE could be used by hackers to take complete control of vulnerable systems. Fueling the concerns was the public availability of sample attack code, as well as reports by Websense that more than 200 malicious Web sites had been set up to try to exploit the flaw.

Microsoft said it planned to issue a patch for the flaw as part of its next monthly update release on April 11, although the company added that it would act sooner if warranted.

Two security software vendors, Determina in Redwood City, Calif., and eEye Digital Security in Aliso Viejo, Calif., stepped into the breach and released interim fixes for users who didn't want to wait for Microsoft's patch.

It was the second time this year that third-party developers have released patches for zero-day flaws ahead of Microsoft. In January, a programmer in Belgium named Ilfak Guilfanov issued a patch designed to provide a temporary fix for the Windows Metafile flaw, a far more serious vulnerability that did eventually prompt Microsoft to release an out-of-cycle patch.

Although unofficial patches can be useful in some cases, it's unlikely that many businesses -- especially larger ones -- will deploy them, said Andrew Jacquith, an analyst at Yankee Group Research in Boston. Most IT managers "would really rather wait" than run the risk of implementing an untested patch, he said.

Bill Cassada, enterprise network administrator at Healthways, a health care services company in Nashville, said that work-arounds are often available to help users mitigate the risks of unpatched flaws. With the latest vulnerability, for instance, all that needs to be done to protect systems is to turn off the Active Scripting function in IE, Cassada said.

Quality concerns

Microsoft is looking at ways to provide speedier fixes for zero-day flaws, said Stephen Toulouse, security program manager at the company's Security Response Center. But, he added, "there are some huge challenges to that."

First and foremost is the issue of quality control, Toulouse said. Microsoft must ensure that its updates work properly and support a wide range of platforms. "We can't leave anybody behind," he said. "And unfortunately, [a patch] might be introducing new problems. So whenever we look at even a quick hack, it's got to be of quality."

PatchLink, a vendor of patch management software, surveyed 250 IT managers in February. More than 60 percent said they would like software vendors to release patches immediately when exploit code is in the wild. But the survey also showed that many IT professionals remain skeptical about using third-party patches, according to PatchLink.

In January, PatchLink made Guilfanov's WMF patch available to its customers. "About 25 percent downloaded it and took a look at it," including several large government organizations, said Chris Andrew, PatchLink's vice president of security technologies. But in the end, he said, the number of companies that implemented the patch "was probably limited to a handful."

Robert McMillan of the IDG News Service contributed to this story.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Jaikumar Vijayan

Jaikumar Vijayan

Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?