Third party patches could break licence terms

Businesses could be breaking software licensing agreements by using “unofficial” patches provided by third parties, security experts have warned.

Businesses could be breaking software licensing agreements by using “unofficial” patches provided by third parties, security experts have warned.

Enterprise security firm Internet Security Systems said businesses were tempted to use unofficial security patches when flaws with known exploits remain unpatched by software manufacturers for some time.

ISS cited the example of the recent Internet Explorer CreateTextRange vulnerability, which remained unpatched by Microsoft for more than two weeks until its scheduled monthly security update, despite the circulation of exploit code on the internet. The vulnerability to zero-day attacks led two companies to produce unofficial patches.

But applying unofficial patches would be likely to violate software licensing agreements, which would in turn render the software unsupported by its vendor, ISS warned.

Gunter Ollmann, director of ISS's X-Force research and development team, said, “The reason why a vendor like Microsoft takes some time to release a hotfix is because they have to ensure quality and system integrity across multiple combinations of Windows service packs, international editions and supported hardware platforms.”

He added, “The unofficial patches being developed by these third party organisations are opportunistic PR efforts rather than serious security fixes.”

The warning follows a survey of 300 senior IT managers earlier this month by security firm PatchLink, which found that more than half of respondents wanted software suppliers to take a more flexible approach to releasing patches for zero day exploits.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...

SearchNetworking

SearchDataCenter

SearchDataManagement

Close