Sophos warns of unofficial IE patch clash

IT managers need to weigh up the pros and cons of using a third-party patch

Applying third-party patches to plug a gap before a vendor fixes its software could cause more problems than it solves, a security vendor has warned.

"It may cause more conflicts further along the line because it is unpredictable if people start going around patching themselves," Graham Cluley, senior technology consultant at Sophos, told vnunet.com. 

The security expert explained that some businesses will be understandably reticent about applying the recent Zert patch that fixes a flaw in Internet Explorer because they are unable to know whether Microsoft will be able to cope with it. 

"When Microsoft does release a patch it doesn't want to have to deal with lots of third-party patches and having to cater for those patches on those computers," he said.

Cluley maintained that IT managers need to weigh up the pros and cons of using a third-party patch themselves.

"It is not a decision that we as security vendors can make for you," he said. "We can't say you should all go and get the Zert patch, because it will differ from place to place and individual to individual." 

Sophos understands that Microsoft is trying to release its own patch as soon as it can so that users do not have to wait until the next patch cycle on 10 October.

"I think an early release would be sensible because we have seen a rise in attempts to use this exploit, so it certainly is in the wild and hackers are interested in exploiting it," Cluley said.

However, Cluley suggested that, if a firm's risk is so great that it would rather rely on a third-party patch than leave the flaw open, it was "an understandable concern".

"I happen to know some of the people behind Zert and I know they are upstanding, decent, competent security people," he said.

"I would put things like the Zert patch in a slightly different camp from just being emailed by someone out of the blue with an executable file."