Businesses could be breaking software licensing
agreements by using “unofficial” patches provided by third parties,
security experts have warned.
Enterprise security firm Internet Security Systems said
businesses were tempted to use unofficial security patches when
flaws with known exploits remain unpatched by software
manufacturers for some time.
ISS cited the example of the recent Internet Explorer
CreateTextRange vulnerability, which remained unpatched by
Microsoft for more than two weeks until its scheduled monthly
security update, despite the circulation of exploit code on the
internet. The vulnerability to zero-day attacks led two companies
to produce unofficial patches.
But applying unofficial patches would be likely to violate
software licensing agreements, which would in turn render the
software unsupported by its vendor, ISS warned.
Gunter Ollmann, director of ISS's X-Force research and
development team, said, “The reason why a vendor like Microsoft
takes some time to release a hotfix is because they have to ensure
quality and system integrity across multiple combinations of
Windows service packs, international editions and supported
hardware platforms.”
He added, “The unofficial patches being developed by these third
party organisations are opportunistic PR efforts rather than
serious security fixes.”
The warning follows a survey of 300 senior IT managers earlier
this month by security firm PatchLink, which found that more than
half of respondents wanted software suppliers to take a more
flexible approach to releasing patches for zero day exploits.