The Risks of Unofficial Patches

This is quite a normal scenario: A zero-day pops up on the Internet by a security researcher. Immediately afterwards we see the first exploits appearing and being integrated into the different attack tools. Now, the race started: The vendor has to develop a security update, the criminals try to exploit the vulnerability.

Part of the holy grail – so it seems – are these researchers being able to deliver a security update much faster than the vendor and the vendor then is immediately publically told that they fail. This is just happening now with Adobe: Unofficial fix brings temporary relief for critical Adobe vuln

Let me add a few thoughts on this:

  • For a vendor, developing the update is not the part, which takes time – testing is. We have more than 600 million downloads when we publish an update. If we “just” break 10% of the systems the update is installed, it would be a huge denial of service. So testing is the name of the game. How well is an unofficial patch tested?
  • Often the vendor publishes workarounds (at least we do). This should be part of your risk mitigation strategy. Would the workaround be acceptable to buy you time?
  • How far do you trust the author of the unofficial update? How big is the risk that the update comes with pre-installed malware? The question immediately comes up: Why should we trust a vendor? Well, you bought or downloaded the software at the first hand – so, you decided to trust the vendor at the beginning.
  • What do you do, once the vendor releases an update? Can you de-install the unofficial update?

Basically, it is a risk management decision, which should include at least the questions I raised above. Do not just run for the unofficial update – to me it should be really the last resort, if even!

Roger