If I sent you a security patch for your desktop operating system, would you trust and install it?

If I sent you a security patch for one of your production server operating systems, would you trust and install it?

If I sent you a security patch for a production server that controls (say) the power grid of a major metropolitan area — the one that you live in — would you trust and install it, assuming you even could? Why or why not?

Back in January, my column here was about a patch to a Microsoft vulnerability. At the time, a private individual had written and posted his own patch to the vulnerability, several days before Microsoft had released its own patch.

Now, an ad hoc group of professionals calling itself the Zero-day Emergency Response Team, or ZERT, has sprung up with the self-described mission of producing patches like this for the public good.

What ZERT is doing is exactly what I proposed above. They’re a bunch of professional security guys, many of whom I personally know and have tremendous respect for, who analyze security weaknesses in products and put together patches for them in situations when they perceive the product’s vendor is not responding quickly enough.

I’ve got to admire and salute their enthusiasm and their devotion to security, without a doubt. I also fully appreciate the circumstances that catalyzed the formation of their group. Standing by and watching phishers and other Internet miscreants wreak havoc with an as-yet unpatched vulnerability is a horribly helpless and enormously frustrating feeling.

Most of us security folks read about new vulnerabilities and are quick to take preventative measures, even before the patch comes out, but that doesn’t help the hordes of people that aren’t part of the “security club” and just don’t know any better.

Broken System

However, I also have grave concerns about how much real good is done by this sort of vigilantism. I’d be really surprised to hear of any truly high-risk data processing facilities installing a ZERT patch on a production system, particularly if critical infrastructure, lives, or even just money are at risk. I’m less surprised to hear of desktop users installing ZERT patches until the vendor patches are available. But is that worth all the effort?

Without a doubt, producing a security patch is a difficult task. Just doing QA testing on the patch prior to releasing it must be insanely difficult, and our software vendors still make mistakes from time to time. But don’t get me wrong; I’m not rushing to their defense here. I strongly believe that the status quo of disclose, sprint, patch is horribly broken and is doomed to failure.