The growing number of zero-day exploits seeking to take advantage of unpatched security flaws in Microsoft's products is exposing some of the limitations of the company's monthly software update schedule, IT managers and analysts said last week.
Even so, they added, it may be better in most cases for corporate users to wait for Microsoft's official updates instead of installing interim patches released by third-party developers as a stopgap measure.
Robert Olson, a systems administrator at Uline said he would like to see Microsoft issue supplemental fixes for unpatched vulnerabilities that are actively being exploited, such as a flaw in Internet Explorer that malicious hackers were targeting for attacks last week.
At the same time, Olson said that Uline, a distributor of packaging and shipping materials, has no intention of using third-party patches to plug security holes, no matter how critical they are.
"Our opinion is that you open yourself to greater threats," he said, citing fears that a third-party patch could disrupt production applications, leaving users to resolve the problems without help from Microsoft.
Relying on third-party fixes "is another example of people getting overly focused on patches and not paying attention to other compensating controls" for mitigating security risks, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry.
Hession said he thinks that for an IT manager to even consider installing a third-party patch, "the risks to your environment have to be severe and hard to mitigate by any other means."
The debate about the wisdom of using third-party patches was renewed last week amid considerable concern that the flaw in IE could be used by hackers to take complete control of vulnerable systems. Fueling the concerns was the public availability of sample attack code, as well as reports by Websense that more than 200 malicious Web sites had been set up to try to exploit the flaw.
Microsoft said it planned to issue a patch for the flaw as part of its next monthly update release on April 11, although the company added that it would act sooner if warranted.
Two security software vendors, Determina in Redwood City, Calif., and eEye Digital Security in Aliso Viejo, Calif., stepped into the breach and released interim fixes for users who didn't want to wait for Microsoft's patch.
It was the second time this year that third-party developers have released patches for zero-day flaws ahead of Microsoft. In January, a programmer in Belgium named Ilfak Guilfanov issued a patch designed to provide a temporary fix for the Windows Metafile flaw, a far more serious vulnerability that did eventually prompt Microsoft to release an out-of-cycle patch.
Although unofficial patches can be useful in some cases, it's unlikely that many businesses -- especially larger ones -- will deploy them, said Andrew Jacquith, an analyst at Yankee Group Research in Boston. Most IT managers "would really rather wait" than run the risk of implementing an untested patch, he said.
Bill Cassada, enterprise network administrator at Healthways, a health care services company in Nashville, said that work-arounds are often available to help users mitigate the risks of unpatched flaws. With the latest vulnerability, for instance, all that needs to be done to protect systems is to turn off the Active Scripting function in IE, Cassada said.
Quality concerns
Microsoft is looking at ways to provide speedier fixes for zero-day flaws, said Stephen Toulouse, security program manager at the company's Security Response Center. But, he added, "there are some huge challenges to that."
First and foremost is the issue of quality control, Toulouse said. Microsoft must ensure that its updates work properly and support a wide range of platforms. "We can't leave anybody behind," he said. "And unfortunately, [a patch] might be introducing new problems. So whenever we look at even a quick hack, it's got to be of quality."
PatchLink, a vendor of patch management software, surveyed 250 IT managers in February. More than 60 percent said they would like software vendors to release patches immediately when exploit code is in the wild. But the survey also showed that many IT professionals remain skeptical about using third-party patches, according to PatchLink.
In January, PatchLink made Guilfanov's WMF patch available to its customers. "About 25 percent downloaded it and took a look at it," including several large government organizations, said Chris Andrew, PatchLink's vice president of security technologies. But in the end, he said, the number of companies that implemented the patch "was probably limited to a handful."
Robert McMillan of the IDG News Service contributed to this story.