Software updates can have both positive and negative effects. On one hand, they introduce new features and address problems, but on the other hand, they may introduce new bugs. In the past, people would postpone updates in order to avoid these complications, which made sense during the early days of computing. However, considering the increasing prevalence of security vulnerabilities, it is now imperative to refrain from such avoidance.
This article for Cybersecurity Awareness Week is presented in partnership with Incogni.
In the 2000s, automatic software updates were not very common. This became a problem as the internet became more popular and malware attacks increased. For instance, in April 2004, Microsoft patched a security exploit in Internet Explorer. However, a few months later, a virus that exploited the same vulnerability was able to target many PCs because people had not yet installed the security patch. Additionally, security fixes for Windows and Mac OS X (later macOS) were either not automatically installed or were difficult to manage.
Google Chrome played a significant role in making automatic updates more mainstream. This was partly because these updates rarely caused any issues and were almost unnoticeable. In 2012, Mozilla added a similar "Silent Update updater" feature to Firefox with the release of Firefox 15. Eventually, other web browsers also adopted this approach. Many other applications started implementing automatic updates as well, or relied on app stores or game launchers for updates. Interestingly, the Steam game launcher has supported automatic updates since its inception in 2003.
Automatic updating is now widely embraced as the default behavior for most software, rather than being restricted to just the operating system or a few vulnerable applications. Tech companies are becoming more adept at identifying potential issues with updates before their widespread implementation, employing techniques such as staged rollouts, crash reporting, unit testing, and pre-release channels. As an illustration, new features in Chrome typically debut in the Canary and Dev channels, progress to the Beta channel once they demonstrate sufficient functionality, and eventually become available to all users of the regular (Stable channel) Chrome. Microsoft presently offers four pre-release channels for Windows 11: Canary, Dev, Beta, and Release Preview.
The Alternative is Worse
Despite implementing better testing and development processes, there remains the possibility of introducing bugs with software updates. Whether created by humans or AI trained on human work, mistakes can still occur. Although it may be tempting to postpone app and operating system updates, especially if your device is functioning well, it is advisable to install updates promptly. These updates have the potential to protect you from malware and the theft of personal data.
In recent years, we have observed a significant rise in the discovery of security vulnerabilities, including "zero-days" - vulnerabilities that are made public before a solution is available. Mandiant, a threat intelligence company now owned by Google, has tracked 246 vulnerabilities between 2021 and 2022, marking an increase from previous years. It is noteworthy that 62% of these vulnerabilities were exploited as zero-days.
Thankfully, companies have been improving their response to security issues by addressing them promptly after discovery. According to Mandiant, out of the 153 zero-days identified between 2021 and 2022, only 35 (23 percent) received patches within the first month after the initial exploitation. This suggests that a majority of zero-days are remedied in a timely manner. Remarkably, 101 zero-days were patched within the first week of their discovery.
However, it seems that security vulnerabilities have persisted in 2023. For instance, Google resolved one in the Chrome browser in April, Windows 11 encountered several this year, and Apple had to update all its devices in August due to a Safari exploit. Additionally, a security flaw was uncovered in a WebP image library, resulting in urgent fixes for various applications such as Google Chrome, Mozilla Firefox, Thunderbird, Microsoft Edge, and LibreOffice, all of which implemented the affected code.
It's more important than ever to ensure your operating system, applications, and other software is always up to date, and make sure your friends and family are doing the same.
The Important Updates
Fortunately, maintaining security does not necessarily require immediately installing the latest Windows or iOS upgrades. Many operating systems and popular applications offer security fixes as separate updates, which typically do not include any significant changes to features. For instance, Microsoft provides monthly security updates for both Windows 10 and Windows 11, with support for Windows 10 ending in 2025. Additionally, even after a new major version is released, LibreOffice, the open-source office suite, continues to address bugs and security flaws in the previous version for a period of time.
Apple, on the other hand, supports two to three major versions of macOS and iOS/iPadOS at any given time. For example, when Apple addressed the security vulnerability CVE-2023-42824 on iPhones and iPads, the fix was made available for both iOS 16 and iOS 17. This means that if you have not yet upgraded to the latest major release, or if your device does not support iOS 17 due to age limitations, you are still protected against security threats.
When given the option, choosing to install just security fixes can be a smart way to ensure safety without the need to adapt to other modifications.