logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

Third Party Patching - It's PR, not a market

By Mike Rothman
Created 2006-03-30 18:41

I just read a blog post by Larry Greenemeier that set me off (http://www.informationweek.com/blog/main/archives/2006/03/microsoft_secur.html) in that he wonders aloud whether there is actually a market for 3rd party patches. Some European dude and now eEye have gotten a lot of PR because they issued patches and now this is a market.

WRONG! This is not a market, this is a PR exercise. I'm sure the researchers have the best intentions for why they are issuing these patches. They probably even believe they are helping out the community, and maybe they are. But let's be clear on this one, this is a way for each organization to increase their visibility with the express goal of selling more of their product.

eEye does not invest in their own research group because they are trying to help the community. That may be a fortunate byproduct, but rather it increases their visibility and enhances their credibility in the security circles that buy their product. IT IS PUBLIC RELATIONS.

But the question still remains whether there is a business there. I say a resounding no. Why? Because over the past 5 years that Microsoft has been serious about their patching process, this is the 2nd situation that they've been dreadfully late and caused others to take action. And dreadfully late is a matter of opinion. If eEye didn't issue the patch, would this be as big a deal?

Maybe I'm being naive and the world really has changed because folks are using these exploits to create zombies that can then be monetized later. So, if the patch is wildly successful we'll still have another 150,000 new zombies today. I guess that's better than 250,000, but how much better? 

Also, how long do you think that each product is applicable for? The answer is until Microsoft fixes the problem. What, a week or two? You can't build a business on waiting for Microsoft to screw up and then issuing a patch until they get their act together. Maybe you can build a hobby, but definitely not a business. 

As I mentioned in the 3rd party patching perspectives blog post (here), defense in depth helps you to be insulated against one exploit that Microsoft hasn't fixed yet. I must admit that all this 3rd party patching stuff is starting to annoy me. I hope Microsoft rolls something next week (not waiting until the 11th) and shuts everybody up.

Then we can finally get back to sharing our angst about data privacy and xenophobia. It is angst that makes the world go around after all.

Source URL:
http://securityincite.com/3PP-PR