Cyber Basics: Software Patching

We have all been harassed by (sometimes overly) persistent popups on our home screens urging us to install system updates. No matter how many times they appear, however, most of us choose to ignore them – especially if everything is working fine. Why are updates so important anyway? Why not just ignore them?

The answer is simple. In pushing us to regularly update their products, software companies are not merely bugging us for their own amusement, but are actually trying to protect us.

Why patches matter

Installing “security patches”, known also as “service packs” or just “patches” is simply a process that helps software stay up-to-date by fixing errors and closing exploitable vulnerabilities in their coding. These errors and vulnerabilities are universal and unavoidable. Once discovered, these security holes become known as “zero-day” vulnerabilities and until patched, can be used by hackers to gain entry into, disrupt, and manipulate applications, devices, and even whole networks.

To take an example: In 2012 the town of Naperville, Illinois was hit by a cyberattack after its web vendor failed to notify officials about a discovered vulnerability in its content management system. Since the city’s software was not patched, hackers were able to find and exploit a vulnerability and install undetectable malicious programs. This malware helped them remotely access computers at a local fire station and in the office of the city’s IT manager to obtain the login and password information of 59 city employees. In the end, investigating and remediating the incident cost the city over $760,000!

As illustrated in the Naperville example, updating software and installing patches is crucial for the security of your computer. While they won’t close all potential points of entry to your system, patching newly discovered security holes as soon as possible helps minimize a hackers’ attack options.

How they work

Developers are constantly working to find security holes and further perfect their products. New bugs and flaws are either discovered and fixed by developers and independent researchers before hackers can ever exploit them or, as happens often, after reports of a hack.

When a software developer has new updates or features, they typically trigger notifications on your computer. Some applications like Google Chrome will apply patches by default – i.e. they automatically apply their tweaks so you don’t have to do anything. Other patches must be installed manually, as is the case for commonly used third party software like Adobe, Skype or QuickTime Player. With manual updates comes the option of delaying the installation of new patches. It is good practice, however, to not wait too long after you’ve been notified of available updates. Be cautious though. Make sure to never install applications or updates from unknown developers – this software could contain the very kind of malware patches are built to help avoid.

When developers stop supporting older versions of systems, their software may require upgrades instead of updates. Do not confuse these two – an upgrade is a new version of the same software, not just a modification of what exists already. Once upgrades are made available, developers usually stop issuing updates to old software after a certain period of time. In other words, they stop looking for security holes and ways to optimize old versions and shift their focus to the newer versions. Take for example Internet Explorer. In early 2016 Microsoft ended its technical support for older versions of Internet Explorer and announced it will only make updates to its latest version, Internet Explorer 11.

Installing patches may be annoying, but doing so is important. Unpatched systems are vulnerable systems, and to a hacker any vulnerability is an opportunity. Next time the “update” message pops up on your computer, don’t ignore it. Five minutes spent installing and restarting will always beat months of costly and stressful remediation from a cyberattack. If you are pressed for time and can’t update the very second new patches rollout, of course that is fine. Remember though, don’t wait too long!