Debate: Should companies use unofficial patches to fix vulnerabilities?

FOR - Alan Bentley, MD of PatchLink EMEA

With a wave of zero-day exploits, organisations face a growing dilemma – wait for the official vendor patch, which could take weeks, or apply a third-party fix as a temporary remedy.

Up until January, the best option for IT administrators was to adopt the work-around tips issued by the software vendor. However, this does not eliminate the threat – the only way to truly eradicate a threat is to deploy a fix or policy change across all systems. Hence the emergence of third-party fixes.

True, rogue patches pose a significant threat to a network – potentially causing systems to fall over. But a third-party fix that has been rigorously tested, scrutinised, code reviewed and endorsed by reputable security organisations is a completely different ballgame.

Third-party fixes can offer the same level of risk mitigation as vendor-prepared patches, providing that IT administrators ensure their networks are truly ready and able to deploy the patches quickly and effectively. Third-party fixes may pose a conundrum for IT managers – but they should not be dismissed.

AGAINST - Amol Sarwate, vulnerability research lab manager, Qualys

Russian programmer Ilfak Guilfanov began 2006 by releasing a third-party patch for Microsoft's WMF vulnerability, 11 days before Microsoft's own. In March, eEye Security and Determina released software to address a loophole in Microsoft's browser, 13 days before the official fix.

Microsoft advises users to wait for the official fix, but security issues such as the latest CreateTextRange browser bug, which allows malicious hackers to take over PCs used to visit specially crafted pages, compel customers to make stop-gap arrangements.

But while Guilfanov's patch may have worked as intended, typical non-vendor patches do not undergo intense testing, may not work in all environments, and come with no guarantees. Most companies installing these complicated fixes do not have the resources or ability to verify the suitability of these solutions.

Complications and potential risks of third-party patches far outweigh their benefits. Companies should investigate possible workarounds and signatures rather than laying themselves open to the damage caused by a corrupt patch.