Security Watch

Third-Party Microsoft Patch a Bad Idea

Tenuous support, trust, quality and assurance are just some of the reasons not to install a third-party patch.

• By Russ Cooper
• 01/16/2006

Many of you have probably seen suggestions from a variety of sources (other than Microsoft, and other than Cybertrust) that a third-party patch should have been applied prior to Microsoft making its patch available. We told our customers, in no uncertain terms, installing a third-party patch is a bad idea! Let me see if I can explain why.

There’s a difference between some tool that modifies a group of settings to achieve a workaround, and one that is entirely binary and alters the way the operating system (or some application) functions. The first you could do yourself and easily verify. The second must be done by the binary, and there’s no certain way to verify that’s all it does. Now some third parties stepped up and said, “Hey, we checked it as best we could, and it looks fine to us!” Well, that’s great, if they’re the ones you bought your OS from and whom you’ll look to for support if something goes awry.

Don’t get me wrong: I’m not saying anything about the author of such a patch, who may have the best of intentions and incredible skills -- that’s not at issue here.

Worse, though, is that we (as security professionals) are constantly trying to stop the public from installing binaries from “untrusted” sources. How do we determine the difference between malware that comes as a screensaver attachment in e-mail, and the best-intentioned, well-written patch for a security vulnerability? Well, if it’s from Microsoft, it’s signed, and we can verify that we trust the signature. We take it directly from Microsoft’s known download locations, and its support people have a phone number you can call if you have problems. Short of that (or the same thing with any other vendor), we should keep to our best practice of not installing binaries we can’t trust and verify.

We shouldn’t forget about quality and assurance either. Testing of a patch from Microsoft is done extensively for us, prior to its release. Despite the apparent concern over this WMF vulnerability (which, as I believed from the beginning, was dramatically hyped), Microsoft still managed to extensively test the patch prior to its release so we wouldn’t run into problems. Can others make a similar claim?

One final note on this subject: Microsoft made a beta of the patch available to some customers as part of that extensive Q&A testing. Someone made that beta patch available to the public. Such a binary should, by reasonable administrators, be treated the same as they would third-party patch. Because despite it being signed by Microsoft, it was not made available from a known and trusted Microsoft download location and Microsoft Support would not be able to provide you with any assistance should it not function properly. Beta software may sound cool, but it’s for testing purposes only, not for production use. It may totally destroy the system it’s installed on or corrupt any number of things. This must be expected from beta software, and a mechanism must exist to provide feedback to the vendor about such software.

What good does it do to, for example, take a copy of the beta patch while not being part of the actual beta and find out it doesn’t work? Since you’ve got no formal arrangement with Microsoft to report bugs in the beta, you instead contact some media outlet. What do you tell them? “Hey, this patch doesn’t work!” Great, now everyone who’s waiting for the final patch thinks it’s broken! Do they know whether or not the problems were quickly resolved in a subsequent beta release? Of course not, how could they? Neither they nor you are part of the beta! Does Microsoft get the needed information about just why the patch is broken? Nope, of course not, they can’t get a dump or know the specifications of the system or even whether or not it was applied correctly.

The bottom line is this: Never let the fear of a security breach cause you to break your security best practices.