Are your patches as good as original vendor patches?

mitja.kolsek -

Sometimes ours and vendor's patch are practically identical, other times vendor's patch is superior to ours (e.g., it covers additional vulnerable points that were not known to us), and still other times our patch turns out to be better than vendor's. Two examples:

CVE-2018-8440: We created a patch for a 0day in Windows Task Scheduler quickly after the vulnerability got published on the Internet (blog post). Two weeks later, Microsoft patched this issue with their monthly updates and our analysis of their patch revealed that it was functionally identical to ours (blog post).

CVE-2018-8423: We published a patch for a vulnerability in Jet Database Engine the next day after it got published on the Internet (blog post). Microsoft published their official patch 18 days later, but our analysis of it revealed that it was incomplete (blog post). Because the vendor patch modified the affected DLL module, and thereby changed its cryptographic hash, we had to re-do our patch to make it apply to the new, incompletely patched module. We also notified Microsoft of the flaw in their patch and the next Windows Updates brought a proper patch, which was functionally identical to our original patch. However, these updates included a number of other similar patches for previously undisclosed vulnerabilities in Jet Database Engine, underlining our position that whenever official vendor patches are available and don't introduce significant problems, they should be applied.



Have more questions? Submit a request


Please sign in to leave a comment.