Businesses could be breaking software licensing agreements by using “unofficial” patches provided by third parties, security experts have warned.
Enterprise security firm Internet Security Systems said businesses were tempted to use unofficial security patches when flaws with known exploits remain unpatched by software manufacturers for some time.
ISS cited the example of the recent Internet Explorer CreateTextRange vulnerability, which remained unpatched by Microsoft for more than two weeks until its scheduled monthly security update, despite the circulation of exploit code on the internet. The vulnerability to zero-day attacks led two companies to produce unofficial patches.
But applying unofficial patches would be likely to violate software licensing agreements, which would in turn render the software unsupported by its vendor, ISS warned.
Gunter Ollmann, director of ISS's X-Force research and development team, said, “The reason why a vendor like Microsoft takes some time to release a hotfix is because they have to ensure quality and system integrity across multiple combinations of Windows service packs, international editions and supported hardware platforms.”
He added, “The unofficial patches being developed by these third party organisations are opportunistic PR efforts rather than serious security fixes.”
The warning follows a survey of 300 senior IT managers earlier this month by security firm PatchLink, which found that more than half of respondents wanted software suppliers to take a more flexible approach to releasing patches for zero day exploits.