March 29th, 2006
No endorsement for 3rd party IE patches this time?
When the WMF vulnerability hit at the beginning of this year, security groups like SANS endorsed 3rd party patches and Ilfak Guilfanov received global fame. But this time, there are no such endorsements for similar patches from eEye and Determina from SANS which offers up some strange reasoning.
When eEye became the first to release a 3rd party patch, they were criticized for not releasing any source code for others to verify. But then when eEye did release the source, the reason given for not endorsing it is that a workaround from Microsoft is available. But that’s also bogus since a workaround was given for the WMF exploit last time which arguably had far less impact than the current Active Scripting workaround which breaks a whole bunch of websites that require Active Scripting.
But an even stranger statement from the same SANS advisory states "Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments". Call me crazy, but I though Internet Explorer is used in production environments in 90% of all the world’s Internet browsers. I’m not necessarily endorsing the 3rd party patch myself, but I still think Microsoft needs to come out with an out-of-band patch as soon as possible.
I’m not trying to pick on SANS and they did a great job vetting the 3rd party WMF patch last time, but this most recent advisory just doesn’t make any sense. If SANS doesn’t want to get in to the business of vetting 3rd party patches, don’t beat around the bush with nonsense and just say so.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
