Are You Still Vulnerable?


Solution providers say security patches sometimes fall short


Security patches don't always fix the problems they aim to solve and can even create new ones, solution providers say, citing a recent Microsoft patch as an example.

Vigilinx, a Parsippany, N.J., security services company, said the massive patch Microsoft released on May 15 for Internet Explorer didn't correct all the vulnerabilities it targeted. After installing the patch, cross-site scripting vulnerabilities remained in certain versions of IE, Vigilinx said.

Israel-based GreyMagic Software also cited problems with the patch. However, Christopher Budd, security program manager at Microsoft's Security Response Center, said the patch works.

 
 PATCHWORK
>> JUNE 2001: Microsoft issues new Exchange patches..
>> OCT. 2001: Microsoft updates terminal server amendment.
>> JAN. 2002: Red Hat revises patch for file synchronization program.
>> MAY 2002: Researchers say cumulative IR patch doesn't address all flaws.
Source: Vigilinx, Red Hat, Microsoft

 

Microsoft has amended other patches. Last fall, the vendor fixed a flawed patch for Windows 2000, and last June it twice updated a patch for Exchange Server. Other vendors also have released patches that haven't been thoroughly tested, said Adam Lipson, executive vice president of client services and product development at Vigilinx.

Some customers may have a false sense of security when it comes to patches, said Danielle Fournier, president of ARX Partners, a security consultant in Watertown, Mass.

"People are applying these patches and then walking away,they're assuming that their systems are now secure when in fact they may be more vulnerable," she said.

Steve Martinez, president of RazorLine Technologies, a security solution provider in Lenexa, Kan., said it's frustrating to install a patch that crashes the application or won't interoperate with other components.

"[Microsoft has recently had this all-hands-on-deck approach to security, but it seems like there should be more testing before the patch is released," he said.

Microsoft's Budd said creating patches is a complex engineering process. "We go to great lengths to do everything we can to get these things right," he said.

Lipson said vendor patches need third-party validation, and Vigilinx tests patches on appropriate platforms and provides customers with results tailored to their particular systems.