You’ve likely seen jokes online about people delaying updates for ridiculous amounts of time. And while nobody likes stopping what they’re doing to install updates, they’re important.
Let’s look at how delaying security patches can put you at risk. Next time an update prompt appears, you’ll have a better understanding of this process.
What Do Security Patches Do?
Security patches are issued to fix vulnerabilities in software—including both apps and operating systems themselves—all the time. Vulnerabilities, as the name implies, are weaknesses in software that people with malicious intent can exploit.
Sometimes these vulnerabilities can sound theoretical, but they have serious consequences. For example, a flaw in your OS that allows any user to gain administrative privileges would mean that someone with physical access could steal all your files. Or a flaw in an app that leaks data could end up exposing your private details.
For some flaws, like those in protocols used everywhere online, it’s up to the manufacturer or website owner to fix them. But in a lot of cases, the vulnerabilities lie with apps on your system. This is why you get prompts to install updates regularly, especially for Windows due to its wide usage.
Let’s take an offline example of how a security patch might work, which we’ll use throughout our discussion.
Say you have a home security system to protect your belongings and your family. A year after you buy and implement the system, you get a call from the company. It found out that the system has a flaw: if anyone claps three times while bouncing on one leg, the system can’t detect the intruder.
If the company offered to fix this vulnerability for free, you’d happily accept the offer, right?
This is akin to what a software patch does for your computer. If there’s a known issue that a malicious program can exploit, it’s in your best interest to get it fixed, and quickly.
Why Do Security Updates Happen So Often?
The more complex a system is, the more likely it is to have vulnerabilities. An app with a few thousand lines of code is fairly easy to protect against intrusion. But with an OS like Windows or macOS that has many moving parts, it’s much harder to predict and protect against all potential exploits.
Plus, the more people use a system, the more of a target it is for hacking. Someone who hacks an app that 100 people use can’t do much, but an exploit in Windows that affects millions of machines is much more of a threat.
Terminology: Patches, Hotfixes, and More
Security updates and patches are mostly-interchangeable terms. A patch refers to an update that changes a previous piece of code.
Generally, manufacturers issue patches that include fixes for several issues at once. These patches can also add new features not related to security. The term “Patch Tuesday” describes the practice of Microsoft and other companies sending out patches for most users on the second Tuesday of the month.
“Hotfix” is another term in this sphere. It refers to a smaller download issued to quickly fix a particular problem. Since they’re issued to fix critical issues, or problems that arose from an earlier patch, they’re not given to the public right away like standard patches.
Instead, customers can choose to apply the fix to their “hot” systems. Doing so can resolve the flaw, but might introduce other problems due to the hasty nature of the fix.
Understanding Zero-Day Vulnerabilities
A zero-day vulnerability is a particular risk. This is a name given to attacks that nobody knows about until they happen. If the manufacturer learns about a security flaw at the same time as attackers do, those people can cause as much damage as they want while the manufacturer scrambles to fix it.
Returning to the example of the home security system: think about if you were the first person to discover that the system didn’t work after you clapped three times and hopped on one leg. You could rob people with little risk after you learned this, making that knowledge of an exploitable flaw that nobody else knows about a zero-day vulnerability.
Patches Broadcast Vulnerabilities
Thus arises the need to install updates quickly. Once developers release a patch to fix an issue, malicious developers can study what it changes. This allows them to examine other systems and determine whether those machines are unpatched—and thus vulnerable to attack.
With our example, say the fix that the company added produced an audible warning when it heard three claps. Consider a would-be robber who knew about the flaw in the home security system: if he clapped and didn’t hear any warning, he would know your house is clear to rob. In a way, issuing notices about security flaws teaches people how to exploit them.
Because patches serve as blueprints like this, installing patches quickly is in your best interest. Your system will be passed over as an attacker looks for someone else they know they can exploit.
This is also why companies tend to avoid giving detailed notes on which vulnerabilities a patch fixes. Some of Apple’s support pages have the following message:
For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.
Apple laying out the exact steps to take advantage of a new security flaw would hurt more people than it helped.
How to Keep Your Systems Updated
Thankfully, most modern operating systems install updates automatically without much input from you. We’ve explained how to manage Windows Update and how to keep your Mac up to date. For mobile, check out how to update your Android device or our guide to keeping your iPhone updated.
Updating software is different, depending on your platform. Apps like Chrome and Slack install updates automatically as they become available, meaning you don’t have to think about them. Other apps prompt you to install updates manually, which you should do when you’re able.
For convenience, you’ll also find programs like Patch My PC, which lets you check for and install lots of updates all at once.
Install Patches and Stay Safe
We’ve looked at why security patches are so important. Now you know why you should install them when you’re able to conveniently. They’re not glamorous, and you don’t have to drop everything to install them, but being prudent about updates will keep you from falling victim to known issues.
Keep in mind that software updates aren’t the only important type—firmware updates protect other kinds of devices.
Almost every bit of hardware has firmware, but what is it and why might you need to update it?
About The Author