Interim Patches

On September 16, 1997, Apple named Steve Jobs Interim CEO, a year after returning to the company that he had founded. Bud Selig served as interim commissioner for six years before Major League Baseball officially handed over the reins in 1998. When businesses face big challenges and a perfect solution isn't imminent, they implement an interim solution. It may be temporary, it may be imperfect, but something is better than nothing. Why then is the software industry so opposed to interim patches?

Two weeks ago, Adobe acknowledged a vulnerability in most versions of Adobe Reader that could lead to remote code execution. In that same advisory, they announced that a patch would be issued by March 11, leaving arguably the majority of computers exposed to attack worldwide. To make matters worse, security firms have suggested seeing attacks as early as the beginning of 2009 leveraging this attack vector. One would therefore presume that Adobe has had knowledge of this issue for some time.

Adobe went on to suggest that users disable JavaScript in order to protect themselves. That advice was short lived as on March 3rd, Dave Aitel announced that Immunity had released a working exploit which did not require the use of JavaScript. Not to worry though, as Adobe also assured customers that it was working with anti-virus vendors to ensure that signature based detection would be available to protect against potential attacks. How's that working out? A quick check with VirusTotal shows that as of this evening, only 5 of 39 AV vendors have protection in place for the proof of concept exploit released on February 22nd. That's less than 13% of vendors for an exploit for which source code has been available for nearly two weeks! It's tough to argue with Damballa's recent bashing of the AV industry.

The security industry on the other hand had a very different reaction. Lurene Grenier of SourceFire, released a homebrew patch just three days after the Adobe Advisory. Now I find it hard to believe that if a sole researcher, with no access to source code or exclusive knowledge of a given product can implement basic protection within days, that Adobe cannot do the same, with better quality, in a short time frame. I'm not asking for a perfect solution - I can wait until March 11 for that. I'm asking for an interim patch - a quick fix to a big problem. Yes, I'm willing to accept the risk that it will break something and hinder my ability to view PDF documents. Heck, I'm even willing to accept that it will erase a few. I'm willing to accept that risk, because it is far less damaging than the prospect of unwittingly joining the next botnet army. Sadly, while the recent Adobe debacle has become a poster child for the availability of interim patches it's only the latest high profile vulnerability representing a problem that won't go away on it's own.

Our industry loves to fuss and debate over formulas and approaches to determine risk. Rather than kick off a study group to study the work of another group, let me cut to the chase and propose a simple questionnaire for the entire software industry. The next time an evil-doer exposes a vulnerability in one of your software products, ask yourself three simple questions:

- Are more than 10% of Internet users affected?
- Is an exploit in the wild?
- Will it take more than 7 days to release a permanent fix?

If you answered yes to all of the above questions - stop reading and start writing - a quick and dirty patch that we can all use to protect ourselves.

- michael