System patching is critical to the security of the software and hardware that make up computer systems. When vendors become aware of vulnerabilities in their products, like the recent discovery of multiple flaws in Apache’s Log4j logging library, they often issue patches to fix those vulnerabilities. Making sure that relevant patches are applied to the computer systems that are critical to your organization as soon as possible can keep your systems protected.
What are patches?
Patches are software and operating system (OS) updates that address security vulnerabilities within a program or product. Software vendors may choose to release updates to fix performance bugs, as well as to provide enhanced security features.
How do you find out what software updates you need to install?
When software updates become available, vendors usually put them on their websites for users to download. Some vendors like Microsoft, Apple, Google and Adobe, provide these updates or patches through an automated system. Install updates as soon as possible to protect your computer, phone, or other digital device against attackers who would take advantage of system vulnerabilities. Attackers may target vulnerabilities for months or even years after updates are available.
Some software will automatically check for updates, and many vendors offer users the option to receive updates automatically. If automatic options are available, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that you take advantage of them. If they are not available, periodically check your vendor’s websites for updates.
Make sure that you only download software updates from trusted vendor websites. Do not trust a link in an email message—attackers have used email messages to direct users to websites hosting malicious files disguised as legitimate updates. Users should also be suspicious of email messages that claim to have a software update file attached—these attachments may contain malware (see Using Caution with Email Attachments for more information).
If possible, only apply automatic updates from trusted network locations (e.g., home, work). Avoid updating software (automatically or manually) while connected to untrusted networks (e.g., airport, hotel, coffee shop). If updates must be installed over an untrusted network, use a Virtual Private Network connection to a trusted network and apply updates.
What is the difference between manual and automatic updates?
Users can install updates manually or elect for their software programs to update automatically.
- Manual updates require the user or administrator to visit the vendor’s website to download and install software files.
- Automatic updates require user or administrator consent when installing or configuring the software. Once you consent to automatic updates, software updates are “pushed” (or installed) to your system automatically.
What is end-of-life software?
Sometimes vendors will discontinue support for a software program or issue software updates for it (also known as end-of-life [EOL] software). This will be software like Windows XP, or Windows 7, Microsoft Office 2003 etc. Continued use of EOL software poses consequential risk to your system that can allow an attacker to exploit security vulnerabilities. The use of unsupported software can also cause software compatibility issues as well as decreased system performance and productivity.
The general recommendation is that users and administrators retire all End-Of-Life products.
Best Practices for Software Updates
- Enable automatic software updates whenever possible. This will ensure that software updates are installed as quickly as possible.
- Do not use unsupported EOL software.
- Always visit vendor sites directly rather than clicking on advertisements or email links.
- Avoid software updates while using untrusted networks.
New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep your software up to date. This is the most effective measure you can take to protect your computer, phone, and other digital devices.
Content for this article is sourced from The Cybersecurity and Infrastructure Security Agency (CISA).