Software updates can be a mixed bag. They add new features and fix issues, but they can bring new bugs as well. People put off updates to avoid these headaches, which wasn’t a bad idea in the earlier days of computing. However, with security vulnerabilities becoming more common, it’s time to stop.
This Cybersecurity Awareness Week article is brought to you in association with Incogni.
Automatic software updates weren’t all that common in the 2000s, which became more of a problem over time as the internet rose in popularity and malware attacks ramped up. For example, a security exploit in Internet Explorer was patched by Microsoft in April 2004, but a virus that used the exploit a few months later was still able to attack many PCs simply because many people had not installed the security patch yet. Many security fixes for Windows and Mac OS X (later macOS) were also not automatically installed or were difficult to manage.
Google Chrome helped push automatic updates into the mainstream, partially because they usually didn’t break anything, but also because they were almost unnoticeable. Mozilla added a similar “Silent Update updater” feature to Firefox in 2012 with the release of Firefox 15, and other web browsers eventually caught on. Many other applications started implementing automatic updates, too, or updates were just handled by whatever app store or game launcher they came from. Fun fact: the Steam game launcher has supported automatic updates since its inception in 2003.
Automatic updating is now firmly established as the default behavior for most software, rather than something that is limited to just the operating system or a handful of more vulnerable applications. Tech companies are also getting better at catching potential issues with updates before they are widely rolled out, using methods like staged rollouts, crash reporting, unit testing, and pre-release channels. For example, new Chrome features usually start out in the Canary and Dev channels, move up to the Beta channel when they are working well enough, and then eventually roll out to everyone running regular (Stable channel) Chrome. Microsoft currently has four pre-release channels for Windows 11: Canary, Dev, Beta, and Release Preview.
The Alternative is Worse
Even with better testing and development processes, there’s still the chance an update might introduce some bugs. Software is made by humans (or AIs trained on human work), and humans make mistakes sometimes. It might still be tempting to delay app and operating system updates, especially if your device is working fine. However, you should try to install updates when they become available because those updates might just save you from malware and stolen personal data.
We’ve seen a rise in discovered security vulnerabilities over the past few years, many of which are “zero-days”—security vulnerabilities that are made public before a fix is available. Mandiant, a threat intelligence company now owned by Google, tracked 246 vulnerabilities between 2021 and 2022. That’s an increase from previous years, and 62% of those were zero-day exploits.
Thankfully, companies are getting better at fixing security issues in a timely manner after they are discovered. Mandiant said in a blog post, “Of the 153 zero-days identified in 2021 and 2022, only 35 (23 percent) of them received patches after the first month following first known exploitation, indicating that most zero-days are remediated in a timely manner. In fact, 101 zero-days were patched within the first week of exploitation being first known.”
The security vulnerabilities aren’t getting better in 2023. Google fixed one in the Chrome browser back in April, Windows 11 had a few this year, and one Safari exploit caused Apple to update all its devices in August. There was also a security flaw discovered in a WebP image library, which resulted in emergency fixes for Google Chrome, Mozilla Firefox and Thunderbird, Microsoft Edge, LibreOffice, and many other applications that use the affected code.
It’s more important than ever to ensure your operating system, applications, and other software is always up to date, and make sure your friends and family are doing the same.
The Important Updates
Thankfully, staying secure doesn’t have to mean installing the major Windows or iOS upgrades as soon as they are available. Most operating systems and some popular applications deliver security fixes as standalone updates, which you can usually install without worrying about feature changes. For example, Microsoft releases monthly security updates for both Windows 10 and Windows 11, though support for Windows 10 will end in 2025. LibreOffice, the open-source office suite, continues fixing bugs and security flaws in the previous version for a while after a new major version is available.
Apple supports two or three major versions of macOS and iOS/iPadOS at any given time. For example, when Apple patched the security flaw CVE-2023-42824 in iPhones and iPads, the fix was rolled out to both iOS 16 and iOS 17. That means if you haven’t upgraded to the absolute latest major release yet, or your device is too old for iOS 17, you’re still safe from security threats.
Some software doesn’t give you a choice between installing all updates or installing just security fixes, but when you have the option, it can be a great way to stay safe without having to adjust to other changes.
