Third Party Binary Patches

Dave G. | March 30th, 2006 | Filed Under: Disclosure, Industry Punditry

While it definitely isn’t a new phenomenon, third party patches for vulnerabilities is becoming an interesting way for security companies to build a low cost awareness campaign. We have now seen it twice for Internet Explorer, first with Ilfak’s WMF Hotfix. According to David Cowan’s blog, eEye and Determina have issued patches for the latest IE vulnerability.

Is this just a classic example of how smaller companies can move quickly to solve problems before larger ones can, only applied to the larger company’s own codebase? Binary patching someone else’s product puts you in a great situation:

  1. Incredibly fast release time, because you dont need regression testing, why?
  2. No accountability, you can basically say that your code may work or may cause extreme data corruption and it doesn’t matter because…
  3. This wasn’t a bug in your code, you are just being a good neighbor.

If this practice gets widely accepted, could we see a world where security researchers stop co-ordinating with vendors and include binary patches in their advisories?

1 Comment so far

  • blog

    April 8th, 2006 11:14 pm

    …and in that world, there is no persistence of the patch for future versions.

    I’d be surprised if the patch were duplicated for builds of the product on alternate platforms, either. Or multiple branches which share the common flaw.

    This seems to be a stop-gap at best, and serves to provide an immediate fix, pending the vendor fixing their code, not a substitute for them doing so.
    Kate | Homepage | 03.31.06 - 8:07 am | #

    “This seems to be a stop-gap at best, and serves to provide an immediate fix, pending the vendor fixing their code, not a substitute for them doing so.”

    I rather think thats the idea. Get some easy publicity/goodwill for your vulnerability disclosure, rather than merely the 15 minutes of fame.

    Sooner or later the vendor will issue a full patch and things will be back to normal. But less people will be annoyed with the vendor…and some people will be pleased with the 3rd party interloper. Win-Win.
    bleh | 03.31.06 - 10:25 am | #

    • Leave a reply