Patch/Configuration Management, Vulnerability Management

2 minutes on…Third-party patch?

Shane Coursen, senior technology consultant at Kaspersky Lab, said he could see himself being tempted to rush to a third-party patch, but advises users to wait it out until the offending software company has time to test their own fix for the software they developed.

"If I was a person affected by the Windows metafile (WMF) exploit, I would be looking at a third-party patch with great fondness," he said. "But I only want to get a patch from the place it came from."

The debate over the safety of third-party fixes emerged after security firms found a metafile vulnerability in numerous versions of the Windows operating system. With the next scheduled Patch Tuesday a half-month away, users were left pondering whether to employ a third-party patch offered by computer scientist Ilfak Guilfanov or use Microsoft's work-around tips until the software giant released its own patch.

Ron O'Brien, senior security analyst for Sophos, said waiting for the official patch still is a better option, since there would be fallout for the company from taking on third-party fixes.

"For one, Microsoft would no longer support you."

Oracle's January release of patches for 82 flaws in a number of its products also made some experts ponder if patches should be released more frequently. The mass release prompted Rich Mogull, an analyst with Gartner, to declare that Oracle could "no longer be considered a bastion of security," because of an infrequent patching schedule and a number of vulnerabilities being discovered.

In November 2004, Oracle began issuing updates four times a year. At that time, CSO Mary Ann Davidson said quarterly releases would not leave users exposed for long, but also would not overwhelm them with the need for constant fixes.

Sam Curry, vice president of eTrust Security Management at CA, said companies will eventually be able to turn out patches to customers more frequently than they do now.

"Eventually they might be able to do them more quickly and do testing on them as well."

Curry also said that while patch cycles can be frustrating, they are often driven by customer requests for orderly fixes.

"You don't want to be too quick to judge. Very often, it is the customers who demand [the patches] be in a cycle," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.