The Chief Information Officer (CIO) of Company XYZ has returned from a large IT conference
where one of the topics was defending against zero day attacks – specifically deploying third party
patches to vulnerable software. Two months prior, the majority of the company systems were
compromised because of a zero day exploit. Due to budget constraints the company only has
operational systems. The CIO wants the Security Manager to research the use of these patches.
Which of the following is the GREATEST concern with the use of a third party patch to mitigate
another un-patched vulnerability?
A.
The company does not have an adequate test environment to validate the impact of the third
party patch, introducing unknown risks.
B.
The third party patch may introduce additional unforeseen risks and void the software licenses
for the patched applications.
C.
The company’s patch management solution only supports patches and updates released
directly by the vendor.
D.
Another period of vulnerability will be introduced because of the need to remove the third party
patch prior to installing any vendor patch.