Third Party Patches for Windows?
Table of contents for third-party
- Third Party Patches for Windows?
- IE Createtextrange Vuln went quiet
- Why Are Third Party Patches The Only Choice?
We’re seeing a new trend lately with Microsoft’s monthly patch cycle. First was the WMF exploit that was discovered a week or so before Black Tuesday. Microsoft resisted releasing an out-of-cycle patch until the security community pressured them (directly or indirectly, I’m not sure) into releasing a patch.
Now, with the latest IE createtextrange() vulnerability we are again seeing third party patches before the vendor can release an official patch. So now the million dollar question is which is the lesser of the two evils; applying a third party patch or accepting the risk and waiting for an official patch from the vendor.
This decision is best made on a case-by-case basis and shouldn’t be made by the security staff alone. This is a good time to have a quick meeting with your IT heads and discuss the risks and all possible outcomes of either waiting for an official vendor patch or to apply a third party patch.
I found some good info on Martin McKeay’s blog and agree with him 110%. With third party patches (even from a company the likes of eEye) you don’t have the assurance you get from Microsoft. I would never recommend a third party patch that hadn’t either been recommended by a trusted source or didn’t originate from a trusted source. And always look for and utilize MD5 hashes or PGP signatures in these cases, to further ensure you’re getting the patch you think you’re getting.
I’ll continue to say it; this type of situation is exactly the reason I’m moving towards technology that lessens my dependence on vendor patches as a primary means of protection. Technology that will help:
- IPS
- HIPS
- Group Policies to harden desktops
- User education
- etc
[...] I’ve had plenty of time to think about and read about differing opinions on the “third-party patch” quandary (my original post on it is here). I’ve read opinions that companies could be releasing third-party patches as a means of getting their name in front of potential customers or as a means of PR/advertisement. [...]
[...] Back in April I wrote a series of posts about third party patches. I was irked after the WMF and the IE createtextrange() vulnerabilities were disclosed rapidly and weeks before Microsoft’s asinine, rigid monthly patch cycle. I won’t revisit the series here, you can read it seperately if you are curious but in neither case did Microsoft deem it necessary to release an out of cycle patch. As an aside, in article three of the series I was again commenting on one of Alan’s articles. I know it, looks like I’m a Shimmy fanatic. =) [...]