Microsoft working on quick-fix capability for IT patch tools

Fix-it code would block malware until patch ready

"Will [Fix-it] be another avenue into applying some security fixes? Absolutely," says Schottland.

Some experts say Microsoft is applying its efforts in the right places.

"This is a tailor made problem for group policy to solve," says Darren Mar-Elia, CTO and founder of SDM Software, which develops Group Policy tools. "Group Policy was designed originally to push out registry settings." He says the newer Group Policy Preferences introduced with Windows Vista and Windows Server 2008 make the process easier. Mar-Elia outlined the Group Policy options in a blog post Thursday.

The unsolved issue, however, is one of logging and reporting of success or failure of installation.

"We have some free PowerShell commandlets that let you find out if policy processing worked, but it does not verify the results," said Mar-Elia. SDM is working on a tool to add that verification.

Still others say Microsoft is on the right track toward protecting users.

"Microsoft is new to this, but I think they are doing the right thing," says Eric Schultze, CTO of Shavlik Technologies. "In the days of old they just waited for Patch Tuesday. It's great they now have a way to turn around a fix in 24 hours. The question is can they make it easier for IT admins to roll out. I think they will do that."

Schultze says Shavlik customers are already asking it to provide packages they can install via Shavlik patch management tools and Shavlik is pushing out Fix-it packages via its software.

"It is kind of a slippery slope. We start to become vulnerability management instead of patch management," he says.

But IT administrators are turning to whomever they trust as they scramble to deal with the rising trend of zero-day attacks. Microsoft has reported five since February.

Wolfgang Kandek, the CTO of Qualys, says the security vendor has 60 zero-day exploits listed in its database. He says other vendors have more than 100.

"I don't think the zero-day trend will end anytime soon," says Amol Sarwate, manager of vulnerabilities research lab of Qualys.

Kandek says the interesting trend here is how these recent zero-day attacks are targeting ActiveX, a technology that allows code from a Web page to execute locally. Java Applets implement a similar concept although many feel they are less powerful and less dangerous because they don't command the same sort of OS control as ActiveX.

Google also is developing technology called Native Client for its recently unveiled Chrome OS that allows code to execute locally to boost the performance of Web-based applications. Google engineers admit the technology can be "ambitious and risky" and are working on security such as sandboxing and prohibiting certain actions.

Some say Microsoft's action of disabling Active X is a quick fix.

"They are going to have to get around to fixing the underlying code," says Paul Henry, security analyst for security vendor Lumension. "Disabling is not the solution."

Henry says the problem involves more than just Microsoft. He notes that Mozilla is instructing users to disable the Just-in-time (JIT) JavaScript compiler in Firefox 3.5 as Mozilla works to fix a vulnerability that is the focus of a zero-day attack. Adobe patched a zero-day PDF bug last month.

Henry says efforts are pointed in the right directions, but "I wish we were running in that direction."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftsecurity patchexploits and vulnerabilities

More about Adobe SystemsGoogleLumensionMicrosoftMozillaMSIQualysShavlikShavlik Technologies

Show Comments
[]