Apply third-party patches at your peril warns ISS

Internet Security Systems (ISS) says that its research suggests that software users who apply patches supplied by third parties are in violation of their licence agreements.

According to the IT security vendor, zero-day vulnerability disclosures, such as the recent Internet Explorer 'CreateTextRange' vulnerability, are a major concern for enterprises because they remain unpatched for a considerable time, so giving attackers a window of opportunity to exploit vulnerable systems.

This fear, says ISS, has given rise to the release of so-called 'unofficial security patches'.

"Enterprises can feel pressured into believing that on the balance of risks, applying an unofficial patch is safer than remaining exposed to attack", said James Rendell, ISS' senior technology specialist.

However, he added, applying unofficial patches will likely violate the licence agreements for the software it is applied to, which in turn will render that software unsupported by the vendor.

"The reason why a vendor like Microsoft takes some time to release a hotfix is because they have to ensure quality and system integrity across multiple combinations of Windows service packs, international editions and supported hardware platforms," he explained.

According to ISS, the unofficial patches being developed by these third-party organisations are opportunistic PR efforts rather than serious security fixes.

As you might expect, ISS has an axe to grind on the subject, as it offers a virtual patch technology to its customers, which it claims avoids the risks of unofficial patches by shielding unpatched systems from vulnerabilities, without the need to violate licence agreements or void future vendor support by making unapproved modifications to core system software.

The virtual patch, says ISS, also provides protection until the official vendor patch can be applied, so negating any emergency patch nightmares...