14 DAY TRIAL // Google disclosed two different unpatched Windows vulnerabilities, one of which has recently received a third-party fix from a company called 0patch, whose purpose is to keep users secure until Microsoft itself releases an official update.
With the next Patch Tuesday taking place on March 14, there’s no doubt that there are plenty of consumers and IT admins out there who are tempted to deploy this unofficial patch, especially because Google went public with vulnerability details, so Windows users are more or less exposed to attacks.
To determine whether users should turn to third-party patches for Windows flaws or not, we reached out to Chris Goettl, product manager at Ivanti, who told us that it’s better for everyone to turn to the existing mitigation options than to deploy such fixes.
Better stick with existing workarounds
Chris explained that in the case of discontinued products or open-source solutions, third-party patches are super-useful, but this is not the case with software that’s actively supported by their vendors, as is the case with Windows.
“The problem starts to come in when dealing with software especially where there may be warranties or EULAs involved. If something were to go wrong and the versions of files are unexpected, Microsoft will be resistant to supporting the system until it is reverted back to production files,” he told us.
“Many 3rd parties consume and modify Microsoft components, but in doing so they assume support for those files. Once Microsoft releases a fix will it install over the top of the changes from 0Patch? If any issues occur it leaves the user\company in a gray area.”
Chris goes on to explain that sticking with the existing workarounds, such as blocking outbound SMB connections (TCP ports 139 and 445 and UDP ports 137 and 138) from the local network to the WAN, until a fix is provided, which should happen on March 14, is the best course of action.
We’ve also reached out to Microsoft for some comments on these third-party patches, but the company instead provided us with a link to the blog post announcing the delay of February 2017 Patch Tuesday with no further statements provided regarding the risks of installing unofficial fixes.