Should you use third-party patches?

The rise of zero day exploits and the delayed release of supplier patches has led some firms to turn to third-party fixes to protect their network. But are they safe?

The responsible disclosure of security flaws in software from suppliers is being undermined by hackers being paid to find bugs and using this information to create exploits.

According to security software supplier Trend Micro, criminals are prepared to pay large sums for new software flaws in popular products.

The system works by creating exploits as soon as software suppliers release security bulletins. The information provided by the bulletin will generally describe in detail where the flaw occurred, providing a lead for hackers to create programs which they can sell to organised crime and fraudsters.

Trend Micro said that newly discovered Vista zero day exploits have been auctioned for £2,500, with XP vulnerabilities reaching £3,800.

According to Uriel Maimon, a senior researcher at security software supplier RSA Security, Windows security flaws are being sold on the open market, just like phishing kits and Trojans - with unpublished zero day exploits for Windows selling for £1,000.

A spokesman for the Serious Organised Crime Agency confirmed that malware attacks were rising, and that the agency had seen evidence of exploits being produced by organised crime for financial gain.

The problem is not just limited to the UK. The FBI also estimates that spyware and other computer-related crimes caused £32bn of damage to US businesses in 2005.

The problem has gained attention because of Microsoft's decision to delay until last month a security update for a vulnerability (the animated cursor exploit) it had known about since 2006. As a result of hackers targeting the flaw through a zero day attack, some users installed free third-party fixes, which were made available earlier.

Security software supplier eEye Digital Security provided an unofficial patch last year to this Microsoft vulnerability and received 70,000 downloads in three days. The increase in zero day attacks is one reason users have been unwilling to wait for official updates.

The early availability of third-party patches gives rise to the question of why Microsoft - with the best knowledge of and access to the source code - takes longer than volunteer programmers to fix the problem.

Microsoft said that creating security updates that fix vulnerabilities is an extensive process, and factors influencing the speed of the process include conducting a risk assessment on the affected product and testing it.

"Once the update is built it must be tested with the different operating systems and applications it affects, then localised for many markets and languages across the globe. In some instances, multiple suppliers are affected by the same or similar issue, which requires a coordinated release," said a Microsoft spokesman.

However, Alan Shimel, chief strategy officer at security supplier StillSecure, said, "The most recent patch by eEye was so widely downloaded because there were real attacks in the wild exploiting this vulnerability, and Microsoft did not respond quickly enough. Users have a legitimate right to download a third-party patch."

Shimel advises using third-party patches with caution, but said that if suppliers did not release patches quickly enough, the whole responsible disclosure system of vulnerability research falls apart.

Raimund Genes, chief technology officer for anti-malware at Trend Micro, said that if Microsoft did not change the way it issues updates to take into account these types of attacks, it would leave its customers vulnerable.

Bill Nagel, security analyst at Forrester Research, said zero day attacks are getting nastier and better organised, and he expects to see more third-party patches being released before the software supplier releases an official patch.

As a lot more exploits are also being released on Patch Tuesday (or the day after), Nagel said IT security managers should draft plans to deal with zero day attacks. "

Determining a realistic threat level is important in the current example, this will give security managers guidance on whether to apply an unofficial patch or wait for the official Microsoft response."

Nagel warned that if users applied an unofficial patch, they would need to uninstall it before installing the supplier's official patch. He also recommended that they only download a third-party patch signed by a trusted source.

"If possible, audit the source code yourself to ensure that it does only what it claims to do - otherwise, your patch might contain a Trojan worse than the flaw it claims to fix."

Computer Weekly blogger and former chief security officer at the Royal Mail, David Lacey, said, "By dowloading third-party fixes you are substituting one risk for another. As long as you understand what can go wrong, it is fine. That is what risk assessment is all about. But personally, I would be a little worried about the consequences."

Microsoft said it carefully reviews and tests security updates and workarounds to ensure their quality, but the company could not provide similar assurances for independent third-party security updates.

Microsoft urged to scrap Patch Tuesday >>

Free web threats download from Trend Micro >>

eEye Digital Security: vulnerability database >>

Serious Organised Crime Agency >>

The Federal Bureau of Investigation: IT >>

David Lacey's security blog
Managing security from one of the UK's leading security experts

Comment on this article: [email protected]

Read more on IT risk management