Applying software updates and patches is a critical security precaution. While antivirus and other endpoint security measures are an important line of defense, a program of regularly and consistently patching software removes many of the vulnerabilities that cybercriminals target.
The recent Equifax breach, which could have been prevented by applying an available software patch, is only the most recent and highest-profile example of the importance of patching. A few months earlier, the WannaCry ransomware outbreak succeeded in targeting unpatched systems. Six weeks later, the lesson had not been learned as the Petya ransomware exploited the same vulnerability.
Why is patching important?
Software programmers make mistakes. The larger and more complex the program, the more code it contains, and the more likely it is that errors will creep in. Software companies invest heavily in testing, but it is nearly impossible to predict a program’s interaction with other software that might be running on an individual machine at the same time. So whether you call them “errors” or “unforeseen circumstances,” the end results are holes—openings that allow computer code to be overwritten to memory, and then executed.
When cybercriminals take advantage of these openings, the rogue instructions carry criminal intent. “White hat” hackers find these vulnerabilities and inform the software companies and computer security companies about them. “Black hats” exploit them for mischief, malice or money. When holes are uncovered, software companies do their best to develop and furnish fixes to close them. The best way to fix a hole is to fill it, and that’s what patches do.
How vulnerable is software, really?
It’s tempting to think of the security of an operating system or application as directly measurable by the amount of patches it requires. Actually, the patch count might more appropriately be seen as a measure of due diligence. For example, some of the patches might address vulnerabilities that are more theoretical than real, or that can be successfully exploited only in the narrowest of circumstances. So patch count may overestimate vulnerability.
At another extreme, current attack patterns might seem to downplay the criticality of patching. Social engineering plays a big part in cybercrime. Tricking users into running an executable file doesn’t require deep knowledge of software vulnerabilities. But often the clickbait constitutes the initial attack, then the victimized machine probes others across the network, testing vulnerabilities and going after more systems and higher-value targets. Moral? If the prevalence of social engineering leads you to think unpatched vulnerabilities aren’t a big problem, you’re leaving systems open to exposure. (Learn more about social engineering and defensive techniques in our tech brief, “Why Social Engineering Happened to You.”)
What steps should I take next?
Large organizations first test new patches before committing them to systems that run critical business processes. Smaller organizations don’t have the resources, so the best advice is to back up your systems to prevent a patch from doing something that knocks a critical system offline or triggers a data loss. That means backing up not just the data, but the applications, so you can quickly restore the ability to access the data.
Read our companion post on how to prioritize patch management in your organization, which offers five tips to get you started on a patch program to protect your organization.
How ESET can help
ESET offers a multi-platform patch management solution — Flexera Corporate Software Inspector — as part of our suite of security solutions for an adaptive security architecture. It gives you complete visibility over the patch status of your systems, provides guidance so your teams know what to patch and how, and covers more than 20,000 applications on Windows, MacOS and Red Hat Enterprise Linux.
This article was adapted from “Vulnerabilities, exploits and patches,” by ESET Senior Research Fellow David Harley, published on our sister site WeLiveSecurity.