First some background: Since the year 2000, Microsoft has made source code available to customers, partners, developers, academic institutions and governments. The company licenses some of this source code in a way that allows it to be modified and legally redistributed. It is therefore safe to assume that companies offering non-Microsoft patches to Microsoft products have probably based those patches on modified Microsoft source code.
In the worst case, if a company producing third-party patches has less than honorable intentions, it potentially could distribute a patch containing spyware or code that makes it easier to exploit the vulnerability that the patch supposedly addresses.
Assuming that the company producing the patch is not embedding malicious code in its patches (intentionally or unintentionally), then the biggest risk to applying a third-party patch is that the patch may introduce bugs into the product that it is supposed to patch. After all, in the case of a Windows patch at least, many of these fixes are actually replacing operating system code.
Though it's true that a legitimate Microsoft patch can potentially introduce a bug into the product that it is patching, if a bug is caused by another company's fix, you can't turn to Microsoft for help. Even if you have a problem that is not related to a third-party patch, you run the risk of Microsoft's technical support staff refusing to help you once they figure out that you have third-party patches installed on your system.
My final caveat isn't so much a risk as much as it is an inconvenience. As I'm sure you know, many organizations use Windows Server Update Services (WSUS) to deploy Microsoft patches. Because WSUS is based on Windows Update, it most likely cannot be used to deploy third-party patches. This means that if a company wants to deploy third-party patches, admins will have to either deploy those patches manually or invest in a more flexible patch management solution.
If you do decide to use third-party patches, then I recommend using them judiciously and temporarily. Then remove the patch when a legitimate Microsoft patch becomes available.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in October 2006