Understanding Patches and Software Updates
By: The National Cybersecurity & Communications Integration Center (NCCIC)
Original release date: July 14, 2009 | Last revised: September 28, 2018
When vendors become aware of vulnerabilities in their products, they often issue patches to fix those vulnerabilities. Make sure to apply relevant patches to your computer as soon as possible so that your system is protected.
What are patches?
Patches are software and operating system (OS) updates that address security vulnerabilities within a program or product. Software vendors may choose to release updates to fix performance bugs, as well as to provide enhanced security features.
How do you find out what software updates you need to install?
When software updates become available, vendors usually put them on their websites for users to download. Install updates as soon as possible to protect your computer, phone, or other digital device against attackers who would take advantage of system vulnerabilities. Attackers may target vulnerabilities for months or even years after updates are available.
Some software will automatically check for updates, and many vendors offer users the option to receive updates automatically. If automatic options are available, NCCIC recommends that you take advantage of them. If they are not available, periodically check your vendor’s websites for updates.
Make sure that you only download software updates from trusted vendor websites. Do not trust a link in an email message — attackers have used email messages to direct users to websites hosting malicious files disguised as legitimate updates. Users should also be suspicious of email messages that claim to have a software update file attached — these attachments may contain malware (see Using Caution with Email Attachments for more information).
If possible, only apply automatic updates from trusted network locations (e.g., home, work). Avoid updating software (automatically or manually) while connected to untrusted networks (e.g., airport, hotel, coffee shop). If updates must be installed over an untrusted network, use a Virtual Private Network connection to a trusted network and apply updates.
What is the difference between manual and automatic updates?
Users can install updates manually or elect for their software programs to update automatically.
Manual updates require the user or administrator to visit the vendor’s website to download and install software files.
Automatic updates require user or administrator consent when installing or configuring the software. Once you consent to automatic updates, software updates are “pushed” (or installed) to your system automatically.
What is end-of-life software?
Sometimes vendors will discontinue support for a software program or issue software updates for it (also known as end-of-life [EOL] software). Continued use of EOL software poses consequential risk to your system that can allow an attacker to exploit security vulnerabilities present that could result in malware attacks. The use of unsupported software can also cause software compatibility issues as well as decreased system performance and productivity.
NCCIC recommends that users and administrators retire all EOL products.
Best Practices for Software Updates
- Enable automatic software updates whenever possible. This will ensure that software updates are installed as quickly as possible.
- Do not use unsupported EOL software.
- Always visit vendor sites directly rather than clicking on advertisements or email links.
- Avoid software updates while using untrusted networks.
New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep your software up-to-date. This is the most effective measure you can take to protect your computer, phone, and other digital devices.
The National Cybersecurity and Communications Integration Center’s (NCCIC) mission is to reduce the risk of systemic cybersecurity and communications challenges in their role as the nation’s flagship cyber defense, incident response and operational integration center. Since 2009, NCCIC has served as a national hub for cyber and communications information, technical expertise and operational integration, and by operating their 24/7 situational awareness, analysis and incident response center. Visit their website to access tools, techniques, research and guidelines. You can also sign up to receive security alerts, tips and other updates.
Return to the top