Users have for years been afflicted with exploitable technology, so why are third-party patches taking flight now? "A year or two ago, everyone was worried about worms," eEye COO Ross Brown told me Thursday. "But worms are bad for the black-hat [hacker] business because they are destructive rather than profitable. Since the middle of last summer, they've been focusing on targeted attacks."
This includes socially engineered attacks such as phishing schemes that cause damage up and down the technology food chain, giving a black eye to technology vendors, damaging the reputations of the banks, insurance companies, and other businesses that buy and deploy that technology, and threatening to pilfer money from the consumers who have put their trust in a given bank or insurance provider. There's a lot more at stake now that, as Brown puts it, "the day of the worm and the massive virus outbreak is passing."
There have been at least 200 Web sites created to exploit the Internet Explorer createTextRange vulnerability. Even worse, since these exploits deal in spyware and Trojans, users could be infected and not even know it, eEye co-founder and chief hacking officer Marc Maiffret told me.
Should you subject your company's computers to a spyware witch-hunt when you can just as easily preempt such a situation with a free patch? "Would you rather wear a bullet-proof vest or have a surgeon standing by in case you're shot?" Brown asks. I'll take the Kevlar, thank you very much. A lot of people agree, since eEye's patch has been downloaded about 100,000 times so far.
Microsoft's recommendation has been to disable Active Scripting to mitigate the dangers of the Internet Explorer createTextRange vulnerability. This is a great idea if you don't plan to get much work done between now and April 11. Since so many Web applications rely on Active Scripting, it's not practical for most businesses to do this. "It's like saying turn off your computers, and you'll be fine," Brown says.
But eEye took a bit of a risk in developing and issuing its patch. True, much of the technology used in the patch was already available in the company's Blink product and the company has garnered a hefty amount of positive publicity for its efforts, but eEye has also had to expend time and effort supporting the patch. Worse, if the patch had been ineffective or created new problems for its users, all the blame would have fallen squarely on eEye. "Yes, there is the marketing side of things like [developing] the IE patch," Maiffret says. "But at the end of the day, we put a patch out there to help. It's not like we did something bad to get this attention."
To be fair, Microsoft, Oracle, and other large software companies created their patching cycles for a reason. These patches are software updates that take time to create and test. McAfee learned this the hard way in mid-March when a daily virus definition file erroneously flagged hundreds of legitimate executables as a malicious virus, leading some customers to quarantine or delete the offending files and render applications such as Microsoft Excel inoperative.
Once a patch is released, it's a race between the users to test and install the code and the black-hat hacker community to reverse-engineer and exploit the code. If a company knows that Microsoft will issue a patch the second Tuesday of every month, IT management knows it can expect an increase in security threat activity around that time. "It creates a rhythm for security managers," Brown says.
It's been argued that the emergence of a market for third-party patches could create a breeding ground for phishing sites as snake-oil salesmen offer their shady products to IT managers desperate to protect their systems against the next attack. This isn't likely, particularly if reputable programmers like Guilfanov and the eEye crew offer their fixes for free. "One of our customers asked which patch they should deploy if there starts to be a lot of third-party patches," Maiffret says. "I told them, it's just like picking a dentist or a plumber--you're going to go with someone who's got a good reputation." Of course, even after all the publicity phishing has gotten over the past few years, people still fall for it. I guess they deserve what they get, as would any IT manager who trusts a patch from someone he's never heard of.
Will other security research and software firms follow suit the next time a vulnerability threatens Microsoft's or any other major software vendor's users? Brown told me, "I don't think Microsoft wants to see anymore third-party patches, but the genie's out of the bottle now."