Fast exploits of flaws test Microsoft's patching policy

The growing number of zero-day exploits seeking to take advantage of unpatched security flaws in Microsoft's products is exposing some of the limitations of the company's monthly software update schedule, IT managers and analysts said last week.

Even so, they added, it may be better in most cases for corporate users to wait for Microsoft's official updates instead of installing interim patches released by third-party developers as a stopgap measure.

Robert Olson, a systems administrator at Uline said he would like to see Microsoft issue supplemental fixes for unpatched vulnerabilities that are actively being exploited, such as a flaw in Internet Explorer that malicious hackers were targeting for attacks last week.

At the same time, Olson said that Uline, a distributor of packaging and shipping materials, has no intention of using third-party patches to plug security holes, no matter how critical they are.

"Our opinion is that you open yourself to greater threats," he said, citing fears that a third-party patch could disrupt production applications, leaving users to resolve the problems without help from Microsoft.

Relying on third-party fixes "is another example of people getting overly focused on patches and not paying attention to other compensating controls" for mitigating security risks, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry.

Hession said he thinks that for an IT manager to even consider installing a third-party patch, "the risks to your environment have to be severe and hard to mitigate by any other means."

The debate about the wisdom of using third-party patches was renewed last week amid considerable concern that the flaw in IE could be used by hackers to take complete control of vulnerable systems. Fueling the concerns was the public availability of sample attack code, as well as reports by Websense that more than 200 malicious Web sites had been set up to try to exploit the flaw.

Microsoft said it planned to issue a patch for the flaw as part of its next monthly update release on April 11, although the company added that it would act sooner if warranted.

Two security software vendors, Determina in Redwood City, Calif., and eEye Digital Security in Aliso Viejo, Calif., stepped into the breach and released interim fixes for users who didn't want to wait for Microsoft's patch.

It was the second time this year that third-party developers have released patches for zero-day flaws ahead of Microsoft. In January, a programmer in Belgium named Ilfak Guilfanov issued a patch designed to provide a temporary fix for the Windows Metafile flaw, a far more serious vulnerability that did eventually prompt Microsoft to release an out-of-cycle patch.

Although unofficial patches can be useful in some cases, it's unlikely that many businesses -- especially larger ones -- will deploy them, said Andrew Jacquith, an analyst at Yankee Group Research in Boston. Most IT managers "would really rather wait" than run the risk of implementing an untested patch, he said.

Bill Cassada, enterprise network administrator at Healthways, a health care services company in Nashville, said that work-arounds are often available to help users mitigate the risks of unpatched flaws. With the latest vulnerability, for instance, all that needs to be done to protect systems is to turn off the Active Scripting function in IE, Cassada said.

Quality concerns

Microsoft is looking at ways to provide speedier fixes for zero-day flaws, said Stephen Toulouse, security program manager at the company's Security Response Center. But, he added, "there are some huge challenges to that."

First and foremost is the issue of quality control, Toulouse said. Microsoft must ensure that its updates work properly and support a wide range of platforms. "We can't leave anybody behind," he said. "And unfortunately, [a patch] might be introducing new problems. So whenever we look at even a quick hack, it's got to be of quality."

PatchLink, a vendor of patch management software, surveyed 250 IT managers in February. More than 60 percent said they would like software vendors to release patches immediately when exploit code is in the wild. But the survey also showed that many IT professionals remain skeptical about using third-party patches, according to PatchLink.

In January, PatchLink made Guilfanov's WMF patch available to its customers. "About 25 percent downloaded it and took a look at it," including several large government organizations, said Chris Andrew, PatchLink's vice president of security technologies. But in the end, he said, the number of companies that implemented the patch "was probably limited to a handful."

Robert McMillan of the IDG News Service contributed to this story.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?