Third-Party Microsoft Patch a Bad Idea
Tenuous support, trust, quality and assurance are just some of the reasons not to install a third-party patch.
Microsoft Windows Fax and Picture Viewer Buffer Overflow Vulnerability (WMF),
Exploit and Spyware Reports:
Despite tons of hype about this
, malcode doesn't seem to have taken off. There has been chatter
about the detection rate among the various antivirus vendors, basically discussing
whether or not they could actually catch a malicious WMF versus just being able
to detect known malware contained within a malicious WMF. It doesn’t really
matter, does it, as long as it’s being caught?
Many of you have probably seen suggestions from a variety of sources (other
than Microsoft, and other than Cybertrust) that a third-party patch should have
been applied prior to Microsoft making its patch available. We told our customers,
in no uncertain terms, installing a third-party patch is a bad idea!
Let me see if I can explain why.
There’s a difference between some tool that modifies a group of settings
to achieve a workaround, and one that is entirely binary and alters the way
the operating system (or some application) functions. The first you could do
yourself and easily verify. The second must be done by the binary, and there’s
no certain way to verify that’s all it does. Now some third parties stepped
up and said, “Hey, we checked it as best we could, and it looks fine to
us!” Well, that’s great, if they’re the ones you bought your
OS from and whom you’ll look to for support if something goes awry.
Don’t get me wrong: I’m not saying anything about the author of
such a patch, who may have the best of intentions and incredible skills -- that’s
not at issue here.
Worse, though, is that we (as security professionals) are constantly trying
to stop the public from installing binaries from “untrusted” sources.
How do we determine the difference between malware that comes as a screensaver
attachment in e-mail, and the best-intentioned, well-written patch for a security
vulnerability? Well, if it’s from Microsoft, it’s signed, and we
can verify that we trust the signature. We take it directly from Microsoft’s
known download locations, and its support people have a phone number you can
call if you have problems. Short of that (or the same thing with any other vendor),
we should keep to our best practice of not installing binaries we can’t
trust and verify.
We shouldn’t forget about quality and assurance either. Testing of a
patch from Microsoft is done extensively for us, prior to its release. Despite
the apparent concern over this WMF vulnerability (which, as I believed from
the beginning, was dramatically hyped), Microsoft still managed to extensively
test the patch prior to its release so we wouldn’t run into problems.
Can others make a similar claim?
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
One final note on this subject: Microsoft made a beta of the patch available
to some customers as part of that extensive Q&A testing. Someone made that
beta patch available to the public. Such a binary should, by reasonable administrators,
be treated the same as they would third-party patch. Because despite it being
signed by Microsoft, it was not made available from a known and trusted Microsoft
download location and Microsoft Support would not be able to provide you with
any assistance should it not function properly. Beta software may sound cool,
but it’s for testing purposes only, not for production use. It may totally
destroy the system it’s installed on or corrupt any number of things.
This must be expected from beta software, and a mechanism must exist to provide
feedback to the vendor about such software.
What good does it do to, for example, take a copy of the beta patch while not
being part of the actual beta and find out it doesn’t work? Since you’ve
got no formal arrangement with Microsoft to report bugs in the beta, you instead
contact some media outlet. What do you tell them? “Hey, this patch doesn’t
work!” Great, now everyone who’s waiting for the final patch thinks
it’s broken! Do they know whether or not the problems were quickly resolved
in a subsequent beta release? Of course not, how could they? Neither they nor
you are part of the beta! Does Microsoft get the needed information about just
why the patch is broken? Nope, of course not, they can’t get a dump or
know the specifications of the system or even whether or not it was applied
The bottom line is this: Never let the fear of a security breach cause you
to break your security best practices.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.