Friday, September 22, 2006

The ZERT Evolution

In January during the WMF fiasco, I wrote The Power of Open Source. What we're now reading in Zero-Day Response Team Launches with Emergency IE Patch is the latest evolution of this idea. The Zeroday Emergency Response Team isn't a bunch of amateurs. These are some of the highest skilled security researchers and practitioners in the public arena. They are stepping up to meet a need not fulfilled by vendors, namely rapid response to security problems.

Why is this the case? Customers running closed operating systems and applications are stuck. They can't fix problems themselves, so they rely on their vendor. In fact, they are paying their vendor to perform the fixing service. To fund development of an alternative fix would be like paying for a fix twice.

ZERT is demonstrating that this model is broken. They are trying to respond as fast as possible to attacks. Because no one can be "ahead of the threat," reaction time is often key. ZERT can act faster than the vendor because ZERT operates in a freer environment:

Please keep in mind while the group performs extensive testing of any patches before releasing them, it is impossible for us to test our patches with each possible system configuration and in each usage scenario. We validate patches to the best of our ability, noting the environments in which the tests were performed and the test results.

So what shall it be? Wait and be owned, or turn to a third party? Perhaps we'll see a more rapid release of a use-at-your-own-risk patch from vendors, followed by a tested-for-stability patch. It's tough to believe that people without access to source code are developing fixes faster that the creators of software!


chuck said...


I think we'd all love to see a closed source vendor put their money where their mouth is and stick their neck out by stating that they'll make patches available more quickly. I yearned for that with the whole WMF fiasco..

We're starting to see that even delayed patches can cause issues so why make people wait? It seems obvious to me that network or system owners need to test as best as possible (not to mention have processes and procedures in place to make up for any screw ups).

I'll be very interested to see how many downloads ZERT gets for their patches and how many problems relate back to their fix.

I sure do applaud the guys from ZERT and hope that they fair well in the coming months, years.. they have plenty of work ahead :)


Anonymous said...

VML is pwning faces. If a third-party patch works, it can't be ignored.

Anonymous said...

i dont really see why this was necessary. considering there was an effective work around exists and that the distribution of this exploit is still not widely seen (last I heard, 20 servers have been identified). The risk of screwing things up with such a patch is too high. (consider a scenario of a system that contains dozens of patches from these sort of third parties. incompatibilities might result)
While I acknowledge the danger of this particular vulnerability, I believe security researchers are somewhat abusing it to get attention to their cause and their products.
Microsoft is considering an out of cycle patch --- lets just wait for that and deploy the work around in the meantime.
Oh - in addition, it seems like many anti virus products are already alerting and blocking this anyway. I run AVG and it alerted me to this as I played around the the public exploit code...

chuck said...

Anon#2, those are acceptable workarounds to you and I'm sure many others. However, say you're in a situation where a group or large groups may need the patch to be able to perform their job. Then what?

These guys (ZERT) are just giving you that last option so that you can give your customer an option as well. Of course, *proceed with caution* warnings should apply but nonetheless I think the main thing to gain out of all this is that we have one more option to ponder - at the very least.


LonerVamp said...

I am not sure what to think of this. Obviously they cannot guarantee patches and are acting as a third party. This may introduce more problems than it solves. Additionally, I am not sure I would want to use their patches in my environment, or rather wait for the vendor-released, tested, supported, and paid-for patch.

Now, they are making a valid point: the public and us professionals are a little fed up with insecurities caused by hardware/software and patches not arriving in a timely manner, giving us some sleepless nights here and there. I do applaud this movement and idea, but I'm thinking the idea is going to be far better than the product, in the long run. And yes, they likely will only tackle the most serious issues such as a zero-day wormable issue or something effecting many people and systems.

Does anyone know of any large vendor that releases quick patches? consistently? I mean, the larger a company gets, the longer their processes are and testing regimen have to be. You can't poop out a fix in one day at Microsoft, necessarily. The DRM issue may be different as that issue affected a narrow product set and likely did not need all that much testing. But how can Microsoft, for example, tell customers that they have a patch in a quick amount of time and still guarantee that it won't completely break everything else, making them possibly liable for downed systems, downed services, and possibly lives? Patch quickly with less testing or leave systems open...? You can argue that either way.

I see this issue as one that the security industry will not be happy with, ever. If patches come out quick, it will only take one major patch to screw up something big due to the speed of release, and we'll be singing the opposite tune, never happy.

It behooves companies like Microsoft to have a very agile and fast-responding team to security issues, while the rest of the time they sit around, no? But how could even they offer up patches that MS could stand behind with their support and agreements and guarantees?

Smaller companies and open source groups react faster, typically, due to their nature of being smaller and/or less liable. (The latter of course being one reason companies are not able to use their products...hehe.)

Anonymous said...

anonymous #2,

It may not be widely distributed though 20 known servers would seem to indicate that the number is rising quickly, but the number of systems being compromised is already high and what makes this serious. I think you're underestimating the severity of the situation.

Approving the workarounds that minimize vulnerability is as difficult as getting a third-party patch approved. Breaking functionality or discarding IE will create just as many hurdles as trying to approve a third-party patch. I think many companies will do none of the above no matter what security personnel recommend.

Relying on AV is a mistake because

Anonymous said...

...because of the following from SANS:

(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.

Anonymous said...

"So what shall it be? Wait and be owned, or turn to a third party?"

Anonymous said...

This is necessary because the vendor refuses to supply support for previous suckers that bought systems with Win 95/98/ME in good faith and have been abandoned. Manny can not afford to buy the latest MS BS, they need a new roof, or to pay insurance. The web is as week as the weakest un patched system.

laptop battery said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.