Fast exploits of flaws test Microsoft's patching policy

03.04.2006
The growing number of zero-day exploits seeking to take advantage of unpatched security flaws in Microsoft Corp.'s products is exposing some of the limitations of the company's monthly software update schedule, IT managers and analysts said last week.

Even so, they added, it may be better in most cases for corporate users to wait for Microsoft's official updates instead of installing interim patches released by third-party developers as a stopgap measure.

Robert Olson, a systems administrator at Uline Inc. in Waukegan, Ill., said he would like to see Microsoft issue supplemental fixes for unpatched vulnerabilities that are actively being exploited, such as a flaw in Internet Explorer that malicious hackers were targeting for attacks last week.

At the same time, Olson said that Uline, a distributor of packaging and shipping materials, has no intention of using third-party patches to plug security holes, no matter how critical they are.

"Our opinion is that you open yourself to greater threats," he said, citing fears that a third-party patch could disrupt production applications, leaving users to resolve the problems without help from Microsoft.

Relying on third-party fixes "is another example of people getting overly focused on patches and not paying attention to other compensating controls" for mitigating security risks, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry.