Feeds

The rise of zero-day patches

The experts speak

Providing a secure and efficient Helpdesk

Part 2: ZERT

What is ZERT?

ZERT: ZERT (the Zero-day Emergency Response Team) is a group of engineers with extensive experience in reverse engineering software, firmware and hardware coupled with liaisons from industry, community and incident response groups. While ZERT works with several Internet security operations and has liaisons to anti-virus and network operations communities, ZERT is not affiliated with a particular vendor. The purpose of ZERT is not to "crack" products, but rather to "uncrack" them by averting security vulnerabilities in them before they can be widely exploited.

Why do we need a Zero-day Emergency Response Team?

ZERT: In recent times there has been significantly more effort by criminal elements to exploit zero-day vulnerabilities for financial gain. In some cases the pervasiveness of vulnerabilities presents a critical risk to a significant number of internet users. At such time it may be desirable to some people to have an option to implement interim safeguards until a manufacturer's patch is available. ZERT members work together as a team to release a non-vendor patch when a so-called "0day" (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the internet, or both.

What type of channels do you control to look for zero-day exploits?

ZERT: ZERT members belong to and work with a wide variety of organisations that encounter zero-day exploits or reports thereof.

At the moment you have released some patches for Microsoft software. Do you plan to work on other vendors' software too?

ZERT: When a zero-day is announced members of ZERT will discuss the perceived exploitability of the vulnerability and the anticipated impact. If the vulnerability is deemed to be critical enough to warrant a patch and the members have the time and skills to create a patch that they are comfortable with then the name of the vendor is not really a concern.

How much time do you need to develop a patch? How much additional effort is need to support localised versions of the software?

ZERT: The amount of time to develop, test and release a patch will vary from vulnerability to vulnerability. There really haven't been enough patches released by ZERT to have a meaningful historical reference. To date we have not discussed the localisation of patches.

Generally closed-source vendors take a long time to release patches. They often claim that this time is required to test all possible configurations and interactions with other software to avoid breaking production systems. How can your approach be faster even without access to source code? What type of reliability testing do you make?

ZERT: ZERT always recommends that anyone using a third party patch perform extensive testing in their environment to determine the suitability and compatibility of the patch. ZERT cannot perform the in-depth testing that we would expect of the vendor. If a person is faced with taking one or more servers or workstations offline or trying a third party patch until the vendor has an authorized solution, the choice may be to risk a patch that has undergone less than optimal testing. Generally, if vendor supplied workarounds are viable those would be a first choice.

ZERT developers and beta testers test the patches on a variety of systems, but we do not claim to be able to perform the exhaustive testing that a vendor would. That is why ZERT always recommends caution in the use of third party patches and proper testing in the user's environment.

Did you have any legal problem posting some disassembled code from a Microsoft patch in your paper [PDF]?

ZERT: No, we have not had any legal problems at all.

ZERT has a legal advisor, but we have not had legal issues at all, other than how we wish to license our patches. ZERT does not publish vulnerabilities, ZERT provides patches for published vulnerabilities.

From your analysis of official patches from Microsoft, what can you say? What approach do they use when fixing bugs?

ZERT: ZERT has no interest in the variety of ways that a vendor may choose to approach the problems they solve. Vendors must choose the methods they deem most suitable on a case by case basis. ZERT's focus is generally on interim solutions for critical vulnerabilities.

How do you install your patches? Do you need to include some pieces of the file you are going to patch? Do you think this could become a legal problem?

ZERT: There are a variety of ways to patch vulnerabilities. Care is taken not to redistribute code in a manner that would violate license agreements. We have had no reason to expect any legal problems to date and do not expect any in the future. We license our software as open source under BSD or GPL.

Will new Vista security mechanisms block the use of external patches?

ZERT: This will depend on what needs to be patched. As long as it is not the kernel or a signed driver it is unlikely to have much effect on third party patches, and probably virtually no effect on patching vulnerabilities for other vendor's products.

Does Microsoft EULA limit your power to develop and/or distribute fixes?

ZERT: Microsoft EULAs do not apply to Linux, Apple, Sun, Dlink, Linksys, etc. ZERT is not a vendor centric organisation. We have not had any issues with Microsoft in regards to EULA infringements.

Are you aware of any new clause included in Windows Vista EULA that could affect your work?

ZERT: ZERT enjoys open communications with Microsoft. If a Microsoft EULA is ever an issue with respect to a ZERT patch we are confident that Microsoft will advise us of an concerns. We do not anticipate any issues with any vendor's EULAs however.

Federico Biancuzzi is freelancer. In addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.