An Information Security Place

Commentary on the State of Information Security
Determina and ZERT blur the third-party patch definition a bit
Filed under Patching, Security

I have stated that I do not like thrid-party patches.  Here are some reasons:

  • It can open other avenues of attack, since the bad guy is likely to start studying the thrid-party patch for security holes. 
  • Potential problems caused by the unofficial patch when installing the official vendor patch
  • Management headache of uninstalling the unofficial patch
  • Possibly causing support problems with the vendor because of unofficial patch

    •  

    Now, there is a possibility that one of these reasons may no longer be an issue.  SC Magazine has an article talking about the new MSFT flaw and the patches that have been released byDeterminaa and ZERT.  Both of these organizations claim that their patches do not need to be uninstalled to apply the official MSFT patch.  If that is true, then the third issue from the above list is a non-issue.  Now, that “if” is really big, and you would have to limit your patching to those organization that build their patches in such a manner.

    Now, I know something about Determina.  I have seen this product installed, and I know basically how it performs.  Essentially, it creates a shield around processes in memory, almost running each process in its own virtual memory space.  It then does not allow any unauthorized access to those processes.  It is basically a host-based IPS, but it does not rely on signatures to stop attacks.  It is a pro-active solution, and from what I have seen, it is a good product that allows you to relax your patching posture.

    However, if they are fixing the flaw in the same manner, then they are not actually patching but are actually just shielding your system from the attack.  So I would not call this a patch at all.  However, it does work.  To test it yourself, first go here to test if your browser is vulnerable.  WARNING: if your browser is vulnerable, then it WILL crash.  I have run the test, and it DOES crash your browser (of course, you’re fine if you are running Firefox, which I suspect many are that are reading this blog).  Now that you have seen it crash, you can go download Determina’s “shield” from here.  Run the MSI.  Close all instances of IE, then go back to the test site and run it again.  You should not be affected this time.

    I did not run the ZERT patch (if that is what it is) because it looked a lot more complicated in its execution and I did not want to risk it.  The Determina fix was packaged neatly in an MSI as well, so I have to believe that it is much easier to push out than the ZERT fix.

    So make your own judgements with this new breed of third-party fixes / patches / shields.  I still don’t advocate them completely, but if they work as the Determina and ZERT fixes claim, then I am less hesitant than before. 

    Vet

    Posted by Michael Farnum on Monday, October 2nd, 2006


  • « Ignorance and naivete
    Bluehost.com was DDos’ed yesterday »
    • Creative Commons License
    An Information Security Place is licensed under a Creative Commons Attribution-Noncommercial 3.0 Unported License.
    Powered by Wordpress and Blog Pixel Theme