Software Vulnerabilities and Patches

Operating System Updates

No matter how careful a programmer is, it is difficult not to make mistakes when building a complex computer program. These mistakes can cause problems when the software is used, causing the program to crash or otherwise malfunction. These problems, often called "bugs," are sometimes discovered in a program, and may open a vulnerability that would allow a malicious hacker to attack your computer. Be aware that all software applications are susceptible to these vulnerabilities. When these vulnerabilities are discovered, the software companies and vendors issue "patches" that fix the particular problems. You need to be sure you download and install these patches.

It is imperative that you check your software vendors' web sites on a regular basis for new security patches or use automated patching features that some software applications offer. If you don't have the time to do the work yourself, you can download and install a utility program to do it for you. Stay informed!

The CERT® Coordination Center posted an article outlining the steps needed to keep a home computer secure. The second task mentioned is to keep your system patched.

To update your particular operating system, you can visit:

Why Should I Patch My System?

It is important to keep your software up to date by applying the latest vulnerability patches. In the year 2003, Microsoft alone released more than 50 security patches for its various software products and Windows operating systems. In fact, some of the patches are so important that one released in August of 2002 would have stopped the SQL Slammer worm from propagating six months later in 2003, if the patch had been heeded when it was released.

The unfortunate tendency of companies, agencies, and even private citizens not to patch their systems is one reason that many worms cause as much havoc as they do.

Reasons for installing software patches include everything from repairing stability issues and interoperability to making the software less susceptible to malware. Some are intended to fix bugs in the program; a recent Microsoft Windows update fixed a bug that made it impossible to log onto a website automatically. Another reason to patch your systems is to keep them running reliably and to prevent large-scale security problems.

The US-CERT has released a document titled "Understanding Patches."

Why Are So Many Computers Left Unpatched?

Whether or not to patch a system can be a difficult decision, as it can sometimes cause unexpected problems. Some administrators are too busy to test new software patches, while others do not have the time to test the patches as extensively as required. Others make the erroneous assumption that if there is not currently a known exploit, that there is no need to apply the patch.

According to FSS Computer Consulting, these are some common reasons why system administrators do not apply patches:

  • The systems are properly configured, firewalls in place, and/or intrusion detection systems intalled. This means the systems are configured optimally.
  • Patching is inherently dangerous. I cannot afford the risk of downtime.
  • Downtime risk is perceived to be too great to mitigate.
  • I have most of the security problems covered. So, why worry?
  • There are so many patches, no one has time to research them, and the deployment is too complicated.

This complacency is a dangerous trend as the ever-increasing number of security issues needs to be matched by the zeal of both system administrators, and home users.