Should you install the latest update? Yes, please do
While updating software, firmware, and devices may seem trivial, it is an important part of maintaining good overall cybersecurity posture.
So, odds are you should definitely update to the latest version of software or firmware - especially if the update contains security patches or fixes.
Reasons to install new and available updates for software, firmware, and devices typically includes:
- Fixing security vulnerabilities
- Addressing bugs and quality of life issues
- Accessing new features
Fix known security vulnerabilities
At minimum, users should update their devices as soon as reasonably possible when there is a security update available. Security updates/hot fixes/patches fix known security vulnerabilities. Vulnerabilities can be exploited by malicious actors - some are more serious than others.
Without timely updating to the latest security patch, users leave themselves open to exploits and attacks that have otherwise been addressed an available update. By not keeping up with security updates (or by extension, using software that is determined to be end of life), users take unnecessary risks with their software/device security.
"Hackers" are faster in exploiting vulnerabilities
According to 2020 reached conducted by Unit 42 at Palo Alto, approximately 80% of exploits are published faster than common vulnerabilities and exposures (CVEs). Specifically, in this research, Palo Alto and acknowledged that certain software or hardware may have vulnerabilities with exploits without CVEs. CVEs primarily give users a way to recognize unique vulnerabilities.
What does this mean for the user? Security updates may be released for particularly critical exploits prior to the assignment of CVE(s). As such, it remains important to stay on top of security updates - waiting until “more information” comes out, such as CVE entries in NIST’s National Vulnerability Database (NVD), leaves you open to exploitation - especially if the update is already released via official update channels.
Threat actors/malicious entities move fast upon a discovered zero-day or disclosed vulnerability. According to many reports from cybersecurity-related publications, it appears the time between vulnerability disclosure and exploitation has decreased year-over-year.
Therefore, once a vulnerability is made public, malicious actors have become quicker in exploiting the disclosed vulnerability; this makes keeping up with security updates even more crucial in the current landscape, as many threat actors will move to exploit recently patched/disclosed vulnerabilities as quickly as possible to up their chances of succeeding/meeting their goals.
Availability of updates can be public disclosure
Public vulnerability disclosure happens in many ways; a common method for developers and vendors to disclose vulnerabilities is in patch notes fixing the vulnerabilities. This makes sense because it presents a problem (the vulnerability) and a solution (the update) in one place. Announcing the vulnerability before the update can put users at risk - especially those who do not exercise mitigating controls, which includes many users.
There are certainly cases where public disclosure before a proper update/patch happens, but this is beyond the scope of this post.
Malicious actors pay attention to patch notes for reconnaissance and development of exploits - they often know someone will lag behind in updating their devices or software. In fact, for OWASP's Top 10 Web Application Security Risks for 2021, "Vulnerable and Outdated Components" was number 6.
So, in many cases, malicious actors are correct to assume a sizable portion of users will lag behind in security updates; they can "cash in" on the early phases of a public security patch release, knowing many users will not have upgraded to the latest version yet.
Exploits may also be discovered being used “in the wild” by security researchers, who may then alert the vendor so they can prepare an update. These are known as “0-days,” or vulnerabilities exploited in the wild without prior vendor awareness.
Provide bug fixes and quality of life updates
Firmware and software updates also frequently provide bug fixes for known issues or user pain points. Pain points can range from random application or device crashing to near-total loss of usability of the software or device.
Bugs are typically annoyances for the users. In most cases, the software or device is usable but contains “glitches” or performs otherwise unintended behavior.
For example, perhaps every time you lock your smartphone, it doesn’t automatically put the screen to sleep despite that setting being ticked in your settings app. Or perhaps in a calculator app, when you press the “add” button once it always adds two + operators versus just one.
Bugs can be vulnerabilities too
In some cases, bugs can indeed render a device or software application effectively unusable - sometimes for security reasons - until an update addressing the issue is released by the developer or vendor. If the bug allows malicious actors to do something "unintended" like gain unauthorized access on a computer, then it becomes a "security bug."
Security bugs typically include categories, such as (but not limited to):
- Race conditions
- Improper exception handling
- Resource leaks
Security bugs are similar to vulnerabilities, though they do not need to explicitly identified. Like vulnerabilities, security bugs can also be the results of inherently insecure design, lack of quality assurance testing, or inadequate use case analysis.
Insecure design is number 4 on OWASP's Top 10 Web Application Security Risks. Insecure designs are security flaws by design of the software, firmware, or device itself.
Sometimes security bugs can lead to, or become, vulnerabilities. For example, a bug that causes a device to randomly restart may turn into a security concern if it can be “weaponized” to purposely keep the device offline or busy in what is known as a Denial of Service (DoS or DDoS) attack. Or perhaps a rather innocuous buffer overflow security bug is the starting point for an exploit chain used by an advanced persistent threat (APT) in the wild.
If many security bugs are present in the source code of firmware or software, then this could be indicative of an existing vulnerability and/or an insecure design and/or architecture. This isn't always a cause-and-effect relationship as it would be incorrect to say that all security bugs are a result of insecure design.
Quality of life fixes
Quality of life fixes are very similar to bug fixes and frequently include the introduction of new but minor features or small improvements on existing features.
Quality of life fixes are generally introduced with continuous user feedback. Quality of life fixes cover a broad range of improvements for users. Sometimes they can include user interface (UI) adjustments or added tool tips for quick reference.
New features are perhaps the most exciting part of updating devices and software. Sometimes new features are “surprises,” or long-anticipated releases requested by the end users. New features can be... well, anything and are completely outside the scope of this particular post.
New features introduced may also help mitigate future/potential 0-day exploits. New features frequently address bugs and introduce quality-of-life improvements for the end user.
New features can also alleviate bugs and introduce quality-of-life improvements for the end user.
If you only take one thing from this post, then please let it be this:
You should be sure to at least install security updates or updates that include security fixes for your software, firmware, and devices.
Installing these updates helps ensure that users remain protected from exploits using known security vulnerabilities in software, firmware, or devices.
Updates also frequently include bug fixes and new features, which should improve use of the software or device for the end user.
With that said, stay safe out there!