Network Security Blog

My friend, Alan Shimel, asks the question, “3rd Party Patches - Should you use them?“  And I have to answer with a resounding ‘NO’.  The first third-party patch out there was the WMF vulnerability patch from Ilfak Guilfanov, and while I appriecated the fact that he made it available and it worked well, I didn’t install it because I don’t know Ilfak or anything about him.  I know who Microsoft, and while I don’t always like or trust the patches they come out with, I always know who to call if their patches break something. 

I also know, barring some catastrophic compromise, any patch I download from Microsoft will not have a trojan built into software.  I’m sure Ilfak’s patch didn’t and I feel reasonably sure the patch being offered by eEye will also be safe.  But if we start getting in the habit of using third-party patches, we run the risk becoming complacent and opening ourselves to additional vulnerabilities or hidden capabilities in the patch.  It’s a question of trust and accountability for the patch and it’s repercussions.  I feel I can hold Microsoft fully accountable, while I’m not sure I could hold a third party equally accountable.

I’m not saying there’s never going to be a reason to use a third-party patch.  But it’s not something we should make a habit of.  Microsoft sometimes moves slowly, but there hasn’t been a vulnerability that was so critical I couldn’t find some other way to mitigate the vulnerability.  By your milage may vary.  If a vulnerability comes out that you can’t mitigate against, you may have to use someone else’s patch to protect yourself.  Just make absolutely sure you know what your getting yourself into ahead of time.

Technorati Tags: security, patching, microsoft

Trackback URI | Comments RSS