The Rise of Patch Vigilantism
An ad hoc group of computer security professionals is producing patches for vendor software. But is this a good thing?
If I sent you a security patch for one of your production server operating systems, would you trust and install it?
If I sent you a security patch for a production server that controls (say) the power grid of a major metropolitan area the one that you live in would you trust and install it, assuming you even could? Why or why not?
Back in January, my column here was about a patch to a Microsoft vulnerability. At the time, a private individual had written and posted his own patch to the vulnerability, several days before Microsoft had released its own patch.
What ZERT is doing is exactly what I proposed above. Theyre a bunch of professional security guys, many of whom I personally know and have tremendous respect for, who analyze security weaknesses in products and put together patches for them in situations when they perceive the products vendor is not responding quickly enough.
Ive got to admire and salute their enthusiasm and their devotion to security, without a doubt. I also fully appreciate the circumstances that catalyzed the formation of their group. Standing by and watching phishers and other Internet miscreants wreak havoc with an as-yet unpatched vulnerability is a horribly helpless and enormously frustrating feeling.
Most of us security folks read about new vulnerabilities and are quick to take preventative measures, even before the patch comes out, but that doesnt help the hordes of people that arent part of the security club and just dont know any better.
However, I also have grave concerns about how much real good is done by this sort of vigilantism. Id be really surprised to hear of any truly high-risk data processing facilities installing a ZERT patch on a production system, particularly if critical infrastructure, lives, or even just money are at risk. Im less surprised to hear of desktop users installing ZERT patches until the vendor patches are available. But is that worth all the effort?
Without a doubt, producing a security patch is a difficult task. Just doing QA testing on the patch prior to releasing it must be insanely difficult, and our software vendors still make mistakes from time to time. But dont get me wrong; Im not rushing to their defense here. I strongly believe that the status quo of disclose, sprint, patch is horribly broken and is doomed to failure.