If I sent you a security patch for one of your production server operating systems, would you trust and install it?
If I sent you a security patch for a production server that controls (say) the power grid of a major metropolitan area the one that you live in would you trust and install it, assuming you even could? Why or why not?
Back in January, my column here was about a patch to a Microsoft vulnerability. At the time, a private individual had written and posted his own patch to the vulnerability, several days before Microsoft had released its own patch.
What ZERT is doing is exactly what I proposed above. Theyre a bunch of professional security guys, many of whom I personally know and have tremendous respect for, who analyze security weaknesses in products and put together patches for them in situations when they perceive the products vendor is not responding quickly enough.
Ive got to admire and salute their enthusiasm and their devotion to security, without a doubt. I also fully appreciate the circumstances that catalyzed the formation of their group. Standing by and watching phishers and other Internet miscreants wreak havoc with an as-yet unpatched vulnerability is a horribly helpless and enormously frustrating feeling.
Most of us security folks read about new vulnerabilities and are quick to take preventative measures, even before the patch comes out, but that doesnt help the hordes of people that arent part of the security club and just dont know any better.
However, I also have grave concerns about how much real good is done by this sort of vigilantism. Id be really surprised to hear of any truly high-risk data processing facilities installing a ZERT patch on a production system, particularly if critical infrastructure, lives, or even just money are at risk. Im less surprised to hear of desktop users installing ZERT patches until the vendor patches are available. But is that worth all the effort?
Without a doubt, producing a security patch is a difficult task. Just doing QA testing on the patch prior to releasing it must be insanely difficult, and our software vendors still make mistakes from time to time. But dont get me wrong; Im not rushing to their defense here. I strongly believe that the status quo of disclose, sprint, patch is horribly broken and is doomed to failure.
We can shake our fists at software product vendors and say things like, You guys have got to take software security more seriously until were blue in the screen, but human nature says that were still going to have to fix things that are broken from time to time.
Accepting this fact, whats the value proposition to a group like ZERT? Do they help keep the software product vendors honest by forcing them to react quicker? Or, do they take a bit of pressure off of them by providing stopgap patches in the interim while the product vendors can seriously and rigorously test their patches prior to release?
It would be great to hear some candid user reviews of the ZERT patches and how they were applied in production data facilities. It would be refreshing to hear from even one large enterprise that is willing to stand up and say that they installed the latest ZERT patch and found it to be a useful service.
In reality, though, I doubt that well hear much of that kind of user story. Only time is likely to answer those questions in any sort of meaningful way. The optimist in me wants to believe the latter, but the pessimist in me thinks thats not likely to be the case.
In the meantime, Ill look at each ZERT patch on a case-by-case basis and decide which is worse for me and my company, the problem or the interim solution and continue to hope that the product vendor can respond quickly enough for my purposes. And any ZERT patch would have to be the last possible choice, to include shutting off a service or feature until a vendor patch can arrive. Either way, though, kudos to the ZERT crew for their valiant attempts to do good things for the community.