3rd Party Patch Perspectives

Did you like the alliteration I used in the title? Kidding aside, Microsoft is again being called to the carpet about how long it's taking to release patches, especially when exploit code is in use in the wild. That's a good thing, but the question remains whether using a 3rd party patch makes sense.

Alan Shimel brings up the discussion (here), but doesn't really draw any conclusions besides that we'll see more of this. Thank you, Captain Obvious. Thankfully a guy like Alan can take a little ribbing. Martin McKeay (here) follows Alan's ideas and provides his opinion on the matter, which is that he'd rather trust Microsoft and wait.

My opinion is that Martin is both right and wrong. My driver ed teacher told me, "You may be right, but you'll still be dead." So staying true to something (like waiting for Microsoft) is all good and well until your network is down because the outbreak hit you hard. The problem is you never know when your number is up, so you need to evaluate on a case by case basis. I suspect waiting for the official patch will be the right answer 95% of the time.

Both Alan and Martin rightfully point out the risk of downloading something nasty if dealing with a third party patch from an unknown quantity. It would be a bad day when your 3rd party patch creates more problems than the risk of the exploit.

Martin's real point is that he strives to have multiple defenses against attack vectors. So even if the patch takes a few days, he's protected via other means. Whether you want to call it "defense in depth," "layered security" or just plain common sense; it's exactly right.

Those of you that keep all of your eggs in one basket (even if it is a basket made of gold residing in Redmond, WA) should revisit the story of Humpty Dumpty. That one didn't end too well.