Third Party Patching - It's PR, not a market

Submitted by Mike Rothman on Thu, 2006-03-30 18:41.
::

I just read a blog post by Larry Greenemeier that set me off (http://www.informationweek.com/blog/main/archives/2006/03/microsoft_secur.html) in that he wonders aloud whether there is actually a market for 3rd party patches. Some European dude and now eEye have gotten a lot of PR because they issued patches and now this is a market.

WRONG! This is not a market, this is a PR exercise. I'm sure the researchers have the best intentions for why they are issuing these patches. They probably even believe they are helping out the community, and maybe they are. But let's be clear on this one, this is a way for each organization to increase their visibility with the express goal of selling more of their product.

eEye does not invest in their own research group because they are trying to help the community. That may be a fortunate byproduct, but rather it increases their visibility and enhances their credibility in the security circles that buy their product. IT IS PUBLIC RELATIONS.

But the question still remains whether there is a business there. I say a resounding no. Why? Because over the past 5 years that Microsoft has been serious about their patching process, this is the 2nd situation that they've been dreadfully late and caused others to take action. And dreadfully late is a matter of opinion. If eEye didn't issue the patch, would this be as big a deal?

Maybe I'm being naive and the world really has changed because folks are using these exploits to create zombies that can then be monetized later. So, if the patch is wildly successful we'll still have another 150,000 new zombies today. I guess that's better than 250,000, but how much better? 

Also, how long do you think that each product is applicable for? The answer is until Microsoft fixes the problem. What, a week or two? You can't build a business on waiting for Microsoft to screw up and then issuing a patch until they get their act together. Maybe you can build a hobby, but definitely not a business. 

As I mentioned in the 3rd party patching perspectives blog post (here), defense in depth helps you to be insulated against one exploit that Microsoft hasn't fixed yet. I must admit that all this 3rd party patching stuff is starting to annoy me. I hope Microsoft rolls something next week (not waiting until the 11th) and shuts everybody up.

Then we can finally get back to sharing our angst about data privacy and xenophobia. It is angst that makes the world go around after all.

3rd party patching
Submitted by alan shimel (not verified) on Thu, 2006-03-30 21:13.
This is just the type of thing Captain Obvious was talking about. eEye is trying to position themselves as the ones who find (they actually buy) new vulnerabilities and now by positioning themselves as also the ones who will on a temp basis fix them, they are doing PR to make themselves look like heroes. In the meantime, what do you hear about their products?
eEye does NOT buy vulnerabilities
Submitted by JNichols (not verified) on Fri, 2006-03-31 12:58.
I won't try to make an argument that eEye's patch was more than PR (it was, but you won't buy it). However, eEye does not purchase their vulns - their research team IS the best in the industry and they have more than enough expertise to find this vulns on their own.
at least mention that you are from eEye
Submitted by alan shimel (not verified) on Sat, 2006-04-01 08:24.
If you are going to claim that eEye's research team is the best as you state, you should at least mention that you work at eEye.
The above comments
Submitted by Ross Brown (not verified) on Mon, 2006-04-03 01:53.

Alan,

Jay does not work at eEye, he works at Sterling, our PR firm. His opinions posted above, however, are his own. We do, however, agree with him.

Disclaimer - I work at eEye.

RB

eEye eEye O
Submitted by Mike Rothman on Thu, 2006-03-30 21:20.
Good point Alan. It continues to amaze me that some folks in the press go off half-cocked with speculation that couldn't possibly stand up to the scrutiny of a market based economy. In terms of eEye's product, their vuln management stuff has always been highly regarded. In a past life, we tried to make a number of deals with them, including an acquisition - but the price tag was too steep. But their stuff was always very good. Now I haven't looked into it for 2 years, so things may have changed - so that's my disclaimer.
Some comments were deleted
Submitted by Mike Rothman on Sun, 2006-04-02 20:02.
I apologize that some comments were inadvertantly deleted by the spam filter on the site. Hopefully we won't have these issues moving forward. Sorry about that .

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.