We’ve all been there before, that horrible situation after a long day at work or when you’re in a rush to do something, and as you go to shut down or subsequently restart your windows machine you are greeted with those beautiful four words…
“Windows is Applying Updates”
It is a magical time of frustration and irritation, mixed with another notch on the tally of reasons why you feel you hate Microsoft. As I say, we’ve all been there, and I’m sure the Linux and Mac users of this world will be reading such comments with a sense of smug superiority. However, frustratingly many people fail to see the importance of such things and do not understand why these updates happen so frequently and why they are now more important than ever before. For these people, I present to you a very brief awareness message as to why that is the case to hopefully give you some reassurance that, whilst still an annoying and (undoubtedly) inconvenient process, it is very much a necessary one for the safety of you and your data.
Let us begin with why software is written. It is written for a purpose, for a specific goal as set out in the specification documents agreed by the customer and the development company (or individual/independent group). That software will be written to be compatible with certain types of operating systems, to run with specific systems or be able to read and write to various databases. It may be a separate application on your computer, it may be web-based and hosted on a remote server…whatever it is, it was designed that way for a reason. The coders and developers were building that software with a general sense of security and protection of data in mind, but with the need to balance this with accessibility and ease of use.
In network security we talk about the CIA, which stands for confidentiality, Integrity and Availability. If you imagine each of these as points on a triangle with a dot in the centre that indicates how much of each you have at any given time. As the dot moves towards one corner, it detracts from the others. The aim of network security professionals and coders generally (although not always the case) is to keep the dot firmly in the centre so that your data’s confidentiality and integrity is maintained, whilst not hindering the availability of that data to the user. As an example, you could secure data to the extreme by utilising the highest levels of currently existent encryption to scramble the data several times over, separate it out into chunks, distribute those randomly to storage devices across the globe with zero network access, and then delete the encryption keys. This would mean that your data was safe and no one would ever see it – however, neither would you, and so we have high levels of confidentiality and integrity, but zero levels of availability for the user.
At the end of the day time is money and if a process takes two clicks instead of ten then it will save you time and money in the long run. If the designers accept the risk of less security but better ease of use then depending on the type of data and levels of sensitivity, this may be a fair trade-off. Plus, let’s be honest, we’re all inherently lazy to some degree and want things to be as simple and intuitive as possible.
Now, given that a complex piece of software may contain hundreds of thousands, if not millions, of lines of code. These will usually be written by a team or several teams of coders and developers. It is not difficult to see that somewhere some errors, security flaws or vulnerabilities may exist in that code until thorough testing takes place both before and after deployment. All of the above issues are generally referred to as “Bugs” in the code. There is a joke that regularly goes around that the coding community, which is:
“99 little bugs in the code. 99 little bugs. Take one down, patch it around. 127 little bugs in the code…”
Which is actually very true and happens all the time, much to the frustration of coders across the globe. Whilst I have never worked as a coder, after studying software development at University for several years I really came to appreciate this fact.
So why do we need updates and patching?
Well simply put, software “patches” or “updates” are amendments or additions to the existing code for that piece of software or hardware, which is looking to address one of the issues I listed above. So it could be simply to change a few lines of code to make the program more efficient; to remove a bug that causes an error such as the program crashing repeatedly when you click on a certain button; or to look at patching a vulnerability that hackers can exploit where they can gain access to parts of the software, data or system, which they shouldn’t be able to do under normal circumstances. Alternatively you may get changes to the GUI (Graphical User Interface) or major updates to a program where you have new or additional functionality.
This very much is the same for your operating system, such as windows, where vulnerabilities, functionality and errors are patched on a weekly basis. It is a well-known fact that for Microsoft there is such a thing as “Patch Tuesday” where generally all of the latest security patches get released (with release notes) on a Tuesday. The notes are there to explain to users and system administrators exactly what the patch is doing and amending in the system (A very essential bit of information for a system administrator). This is great as administrators (and the public) can plan to receive patches via Microsoft to update their systems and protect against the latest identified vulnerabilities. The bad news is that every Tuesday the hackers and general nasty people on the internet get informed every week as to what vulnerabilities did exist the previous week in a within a Windows system! There are ways to identify what operating system and versions people are running via various techniques, and this means that if exploits can be quickly pulled together for these vulnerabilities then anyone who doesn’t patch their system is potentially vulnerable to threats!
This is partially why, as frustrating as it can be, you should patch your devices when new security patches are released in order to better protect yourself against the latest threats. Not doing this leaves you vulnerable to attack and exploitation, which could mean disaster for you and your data.
All-in-all…not a nice place to be!
This explains why it is widely advised for people to upgrade from Windows XP to a newer version of Windows, given that Windows XP is now no longer actively supported by Microsoft. This means that Microsoft are no longer reviewing, developing or publishing updates for the operating system, which means that no new patches are released to plug those vulnerabilities or fix problems in the code.
Given that this is the case, it is terrifying to then see so many large organisations who deal with our finances or payment details, still running Windows XP machines (I have seen XP running recently in several hotel chains and restaurants…so how confident would you now feel about passing over your name, address, phone number, banking details and any other personal information to these businesses, knowing that they are running unsupported and likely vulnerable operating systems that hackers regularly search for an exploit?
…worrying, isn’t it?!
So to finish…
This is by no means meant to really scare you, but I just wanted to really help people understand why it is important to have the latest versions of software and to keep them regularly patched. As frustrating as it is to have to sit and wait for your system to update and install those updates, they are there for a good reason.
In fairness, this is a very brief, generic and high level overview of a couple of reasons why it is wise for people to patch their systems (and system admins or experienced users have their reasons for not necessarily patching systems immediately, or testing them in the first instance) but for your average, non-techy home user, you should update all of those critical and important security patches in your software when they become available, unless you have good cause not to.