I read an article by Alan Shimel of Sillsecure about the whole third party patch issue. At the end he said “I think overall the security industry has done a great job, maybe too good a job of banging the drums on zero day stuff” which got me thinking…

The security industry has done a great job of raising concerns over zero day exploits and the need to patch known vulnerabilities as quickly as possible. Is the result of that initiative a bunch of Chicken Littles screaming the sky is falling? Isn’t that basically their job? And is it right for Microsoft to hold off on distributing a patch for nearly three weeks based on the fact that they weren’t seeing enough attacks on the exploit to warrant an out of cycle patch?

The core issue here is defining everyone’s job in the realm of security.

The security community’s job is to distribute information within the community as quickly as possible and in an appropriate tone to indicate the severity of the situation. For example, if the folks at the ISC release an advisory and elevate the Infocon to yellow I know its a serious event that needs my prompt attention.

The security team within a company has the job of interpreting all the information available to them and process and act on that information in a manner that satisfies their constituents. This means that the decision to patch or not to patch is their decision, based on their intimate knowledge of the needs of their constituency, the impact of the solution, etc.

The vendor’s job (Microsoft in this case) is to evaluate the vulnerability that has been discovered, release appropriate advisories and release a fix for the vulnerability.

Notice that it isn’t the vendor’s job to decide when or how the security team acts on the advisory. That decision can only be made by the customer, who’s systems are at risk.

It is perfectly acceptable to release most patches in a scheduled cycle. This is the case when public disclosure of the vulnerability occurs at the same time the patch is released or when mitigating circumstances reduce the criticality of the vulnerability. For example, it is acceptable to wait three weeks to release a patch for a vulnerability that hasn’t been publicly disclosed and requires physical access to exploit.

However, in the case of an Internet Explorer vulnerability that 1. allows arbitrary code execution and 2. is publicly disclosed weeks before the next patch cycle, the vendor has a responsibility to release an out-of-cycle patch so that the IT security teams can make the decision to apply the patch or wait.

I can’t find a link right now but one of the ISC handlers had a good idea; beta patches released ahead of the regular patch cycle that would allow a security team to get quick and dirty protection if they felt they needed it.

That seems like a much better solution than what we currently have, which is Microsoft dictating the security of your network.

UPDATE

Johannes Ullrich was the ISC handler who suggested beta patches. More on this page.