Security updates on different devices are an important barrier against malicious actors who want to gain control of our assets. They are annoying but essential.
What is an update, really?
To answer this question, we have to start from the premise that all software is vulnerable. In other words, all operating systems, applications, websites and other such things have cybersecurity problems. There is no such thing as a 100% secure system.
The above statement is easy to understand if we consider that an application may be secure today, but tomorrow a previously unknown flaw may be discovered, leaving it totally exposed. That is why we are saying that there will never be a completely secure system.
Knowing this, it makes sense that as new vulnerabilities and flaws are discovered in the source systems, they are updated by the manufacturers or developers themselves.
In this way, and depending on the objective to be covered by the update, there may be patches that are solved in a matter of minutes by adding, removing or modifying parts of the code, or there may be flaws that affect the core itself and it may be necessary to modify almost the entire software. In any case, an update is nothing more than an alteration of the initial software that solves a specific problem.
Why are they so frequent?
Updates usually have a specific ‘calendar’ or frequency. The most common thing is to find updates on a monthly basis, although they can respond to any other frequency. These updates cover a group of vulnerabilities or faults found in a certain period of time. Thus, in these updates, several vulnerabilities can be corrected in a single action.
Similarly, there are also ‘ad-hoc’ updates, designed to cover a smaller group of problems. These updates do not follow an established frequency and are issued in the shortest possible time in response to a very specific and dangerous vulnerability.
So, in answer to the question in the title, these updates are, in some cases, so frequent because of the large number of attacks and problems that the software presents. This is not to say that the application, for example, is poorly designed; after all, in terms of security, a new vulnerability is discovered every second and it is necessary to keep up to date.
How are vulnerabilities discovered?
There are different types of vulnerabilities depending on their objective, the way they proceed, the mechanism used, etc. Something they all have in common is that they are classified according to a degree of criticality or whether or not they are being exploited. This is worth mentioning because there may be vulnerabilities for a given system that, without knowing it, also apply to another system. In that case, the vulnerability is relatively well known but has not been initially considered.
On the other hand, we have a series of vulnerabilities that are not known or that have been discovered very recently. This leaves the manufacturer little margin to propose a solution and have it distributed, leaving the systems exposed during this period.
But returning to the initial question, how and who discovers these types of vulnerabilities? In this sense, I have to highlight some of the ways:
- Internal manufacturer personnel: Researchers, developers, people who test the application, security people, etc., who are paid for this work.
- System users: In some cases, also by chance, problems arise that are reported by users, these being the same software flaws.
- Independent researchers: There are many cybersecurity professionals who, without any kind of remuneration, report problems they encounter.
- Bug bounty: Some organisations offer reward programmes for finding problems in the application. Very high-level professionals can be added here.
- Malicious actors: This would be the worst-case scenario, and it is not that they report the problem, but that they put it up for sale. Many companies pay these people to look at what has been found and correct it. The problem would be if this were used to attack the software by cybercriminals.
Lack of updates and importance
As you can imagine, the lack of updates in a system makes that same system vulnerable to certain attacks. It doesn’t mean that by not installing certain updates, the next day they will take control of the device, but it is true that the degree of exposure and the likelihood of this happening increase.
Similarly, we must be aware that, in this sense, our systems are born with an expiry date as far as updates are concerned. In other words, manufacturers cover updates and security monitoring for a fixed number of years. This can be two, three, five, ten, … whatever the manufacturer or developer deems appropriate. But when that date arrives, we have to be aware that our device (and above all, our data) is exposed.
Updates in organisations
So far we have talked about updates in ‘day-to-day’ systems, but the same also applies to the professional environment. In this scenario, everything becomes exponentially more complicated because the updates affect critical systems where their application is not trivial.
Practically 100% of a company’s systems have to be updated. The problem can arise when there is a very serious vulnerability, the system is exposed, and in turn, applying that update means leaving thousands and thousands of users without service. As if that were not enough, depending on where, the updates have to be tested. In other words, you cannot update a critical system and, because of that, have worse implications.
This type of action, on certain occasions for cybersecurity professionals, is a headache, having to look for the best solution but always going through the update. In this sense, solution manufacturers can also help and carry out updates that are well-tested and have less impact.
What happens if a good update study is not done?
One of the clearest examples, and one that I would like to mention in this post, is what happened on 19 July 2024. On that date, a problem in a security update of a well-known anti-malware system widely used in the sector left around 8.5 million computers completely inoperative.
The problem caused huge losses in health and finance, but where it had the greatest impact and repercussions was in the transport sector, specifically in aviation. It is estimated that around 1,000 flights were cancelled on the ground, with a very negative impact on these companies. Likewise, the parent company of the problem, as well as third-party associates, suffered huge losses during those days.
Beyond the incident and its impact, this opened a study of how updates have to be carried out in the different companies. Although it was a one-off problem, there must be an action plan, where updates are tested and not distributed en masse, relying on their good performance.
Conclusions
As a summary and conclusion, I would like to mention again the importance of updates in systems. They are not at all obsolescence techniques, nor are they sent with any purpose other than to protect against new threats or vulnerabilities.
We must always have our systems fully updated to the latest version. If we don’t, we are taking a risk with our data and our lives. There are now configurations that make this task easier for us by means of scheduled or automatic updates, making this action seem trivial, even transparent.
