While original vendor patches can provide useful information to us (after all, they know their product best), we don't need them to create our own patches. Once we can reproduce the vulnerability, we can find the root cause and can also find a way (typically, more than one way) to remove it.
Granted, original vendor patches do help us and we typically review them when they exist. For instance, when Microsoft stopped supporting Windows 7 in January 2020, they still provided three years of paid Extended Security Updates (ESU), which were a good source of information for us. In January 2023 ESU for Windows 7 was terminated, but an additional year of ESU was available for Windows Server 2008 R2 - which shares its code base with Windows 7. That gave us another year of useful information.
Once even Windows Server 2008 R2 ESU was over in January 2024, many vulnerabilities affecting still-supported Windows versions such as Windows 10 or Windows 11 also affected Windows 7 - and even though Windows 7 was no longer mentioned in Microsoft's advisories, official patches for still-supported versions were often useful for our patching of Windows 7.
But again, even in the complete absence of official patches we have sufficient knowledge and skills to create our own patches, as long as we can reproduce the vulnerability.
Comments
0 comments
Please sign in to leave a comment.