Yet another new critical vulnerability was uncovered with the discovery that Microsoft Office could be exploited through a malicious Word document and used to run remote code execution. Meanwhile, many old vulnerabilities remain unpatched: Among the most executable vulnerabilities in 2021, there are samples from 2017 which have had patches available for a long time. Some businesses may not realize the severity of the problem. Some experts may believe that there are strategies where selective patching is enough for protection against cyberattacks and more suitable in terms of resources spent on software update rollouts.

One Correct Strategy for Patching

There is only one correct strategy for software updates and patching: If a patch appears for software used in my organization, I roll it out as soon as possible. Here’s why.

1. More time can be spent analyzing whether an update is critical or not, rather than simply installing it. An analysis is typically performed by several experts or teams, including IT and information security since the decision depends on the system, assessment of cybersecurity risk and so on. This manual task not only takes more time but also costs the organization more because it diverts highly skilled people who could be carrying out other useful tasks instead. The patching process itself is often carried out automatically by an update management system.

2. An expert or even a team that makes decisions about patching could make a mistake. They might decide that there is no need to patch but may have missed some scenarios. A cyberattack is the wrong time to discover that the experts made the wrong decision.

3. The level of risk related to a new vulnerability is not always immediately clear. When releasing an update and assessing the risk, a vendor assigns a particular rating. But at a later date, when additional research had been conducted, that rating might change; for example, if a new attack vector is found. The initial low rating might encourage IT admins to postpone the patch, and then, when a new estimate arrives, the organization finds itself critically vulnerable.

4. Sometimes IT departments prefer to install only major updates and skip minor ones. But it is possible that a vendor could unexpectedly release an update for important security features supported only after one of the minor version updates that was not installed. This means that the company has to roll out that minor update in a rush to install the crucial security patch and mitigate the possible risk of software exploitation by a cyberattack. In some cases, the vendor only describes how the vulnerability is applicable to the latest versions of its product and it can be unclear whether the vulnerability is also relevant for earlier, out-of-date versions.

Installing all security updates quickly is an essential principle of cybersecurity hygiene, along with using an anti-malware solution. It is important that this becomes a habit: If there is a patch, it should be installed without delay or dispute. This should become an internal standard for IT administrators and the company.

Furthermore, if there is a vulnerability without an available patch, IT needs to read the vendor’s recommendations and apply workarounds, such as applying hardening or disabling protocols or services. This also needs to be done immediately.

Important Considerations

One more important consideration here is that when a patch is released by a vendor, this means that the vulnerability has existed for some time. That means cyberattackers likely knew about it (and possibly exploited it) before the vendor did. In targeted and highly organized cyberattacks, APT actors don’t exploit known and popular vulnerabilities; instead, they target new and non-standard tools. Therefore, while timely updates are essential, another must-have for an enterprise is a full-scale protection system that is able to detect advanced cyberattacks even through hidden and disparate signs.