If software patches are important, why do so many ignore them?
The handling of software vulnerabilities has come a long way in the past decade with the emergence of generally accepted procedures for reporting and responding to vulnerabilities. Responsible vendors have formal programs for issuing patches and updates for their software with automated systems for downloading them.
Yet security has not noticeably improved, and monthly and regular reports assessing the state of our security show that known vulnerabilities for which fixes are available, some of them years old, continue to account for the bulk of successful exploits.
These problems persist not just because end users are ignorant or lazy or because system administrators are overworked, understaffed and have inadequate budgets. Someone, either the users, the administrators or their bosses, is a making conscious decision that installing software patches is not worth the effort.
Targeted attacks, mobile vulnerabilities on the rise, report states
For some hacks, everything old is new again
They are not necessarily ignoring the problem. They have decided that the continuous flood of updates cannot be effectively handled and that it makes more sense to ignore them until a breach occurs.
Whether this is a rational response to the issue is arguable. If your computer or system is not compromised, it looks like a good decision. If you are compromised, it might still be a good decision if the problem is small and easily cleaned up. Even if the compromise is serious, dealing with it might be easier than dealing with the possible disruptions of services through continually updating software.
Even if this is a rational business decision, it is not good security. In the long run, everyone suffers because the bad guys are able to operate and finance their operations with exploits that put not only the system owners but everyone who depends on those systems as employees, customers or third-party users at risk.
The problem is that patching is a stop-gap approach to IT security that has evolved into an end in itself. A lot of effort is going into finding and patching vulnerabilities after the fact, and the industry has not done an adequate job of addressing the underlying problem of vulnerable software.
Patching should not be a primary security tool. Even with automation and tools to help, it is cumbersome at best and a major headache at worst. The lack of stable software versions can threaten the stability of systems that are in a constant state of flux. Eventually, someone says, Enough! Let things stay as they are and we’ll deal with problems if and when they occur.
The solution is to eliminate the need to patch by preventing vulnerabilities in software in the first place. This would not be easy, of course. It probably is not possible. But there has to be a better way of producing software than is being done today.
Microsoft is one of the leaders in the effort to improve software development with its Trustworthy Computing initiative, yet after a decade not a Patch Tuesday passes without a list of security bulletins.
Security through patching seems to have hit a wall, or at least is reaching the point of diminishing returns. We are unlikely to see large-scale improvements in security until underlying issues are more effectively addressed.