IE flaw points to limits of monthly patch releases

Zero-day exploits such as those targeting an unpatched vulnerability in Microsofts Internet Explorer Web browser are exposing some of the limitations of the company's monthly patch release schedule, users and analysts said Tuesday.

Even so, it may be better in most cases for enterprises to wait for Microsoft's official updates rather than implement interim third-party patches, they said.

"There's going to be no third-party patches for us," said Dave Jordan, chief information security officer for the Arlington County government in Virginia. "These things have to be really tested before we can put them on our production servers. By the time I finish testing, Microsoft would have released its own patches, so why go through the same exercise twice?"

The sentiment comes amid continuing concern that a vulnerability in IE could soon be exploited by hackers looking to take complete administrative control of vulnerable systems. The flaw, which involves the way IE processes Web pages using the createTextRange() method, is currently being exploited by attackers on more than 200 malicious Web sites.

Microsoft itself has called the attacks "limited in scope" and said it will release a patch addressing the flaw with its scheduled monthly updates on April 11 -- or sooner, if warranted.

However, two security vendors, Redwood City, Calif.-based Determina and eEye Digital Security, have already released interim fixes for the flaw for users unwilling to wait for Microsoft's official patches.

This is the second time in recent months that security vendors have pushed out patches for zero-day flaws ahead of Microsoft's official release. In January, a Belgian programmer named Ilfak Guilfanov released a similar interim patch to fix a far more serious Windows Metafile (WMF) flaw.

While such patches can be useful for some companies, it is unlikely that many enterprises, especially larger ones, will deploy them, said Andrew Jacquith, an analyst at Yankee Group Research in Boston. "They would really rather wait for an official patch" instead of implementing an untested patch from an unknown third party, he said.

Bill Cassada, enterprise network administrator at Healthways, a Nashville-based disease management company, said that he would like to see Microsoft "react quicker" to zero-day threats. But he added that Healthways is unlikely to roll out any interim patches to deal with the current threats, since several work-arounds are available.

Robert Olson, systems administrator with Uline, a distributor of packing and shipping materials, said that Microsoft's monthly patch release cycle provides companies with a "clean way" to push updates to users. He also said he would like to see supplemental updates for exploits involving unpatched vulnerabilities, but stressed that his company has no intention of using a third-party patch for any flaw, no matter how critical.

"Our opinion is that you open yourself to greater threats" of the patch disrupting production applications, he said. "With a genuine Microsoft patch, we can go back to Microsoft to get resolution" of any problem; The same is not possible with a third-party patch.

There are security concerns, as well, he said. "We imagine a worst-case scenario where a third-party patch fixes a Microsoft flaw but injects a rootkit type application that could do almost any malicious action the writer wanted," he said.

The SANS Internet Storm Center, Tuesday posted a note on its site advising users not to apply eEye's interim patch because work-arounds, such as turning off Active Scripting and using a different browser, appear to be effective.

"Some specific cases may require you to apply the third-party patch," SANS said. One example is when a company is required to use several third-party Web sites that function only with Internet Explorer and Active Scripting turned on, SANS said. In such cases, companies need to test the interim patch and consider contacting Microsoft before deploying it.

"We do suspect that Microsoft will still release an early patch, given the imminent danger to its customers from this flaw," SANS said.

PatchLink said that in a survey of 250 IT managers that it conducted in February, more than 60 percent said they would like software vendors to release patches immediately when exploits are in the wild. With zero-day exploits on the rise, the release and deployment of third-party patches is becoming more accepted -- though many IT professionals are still skeptical of the approach, the survey showed.

In January, for instance, PatchLink made Guilfanov's WMF patch available to customers who wanted it, but it found few takers, said Chris Andrew, vice president of security technologies at PatchLink.

"About 25 percent of our customers downloaded it and took a look at it," including several large government organizations, Andrew said. But in the end, the companies that actually implemented the third-party fix "was probably limited to a handful," he said.

Show Comments