Patching: A Band-Aid on a Bullet Wound?

Learn How The Biggest Enemy in the Fight Against Software Vulnerabilities May Be Ourselves 

Remind me in an hour, try tonight, remind me tomorrow. These are the options that face us when prompted with those pesky software update notifications (at least on a Mac). Welcome to the wonderful world of patching and software updates. Back in the days when computers ran off of punched paper tape, patches were distributed to customers on small sections of paper. The user was then expected to cut out the old section of code and patch in the new one, hence the name. Fast forward more than 75 years and patches can be pushed out automatically with zero effort on the part of the end user. This has seemingly eliminated all of the complications that come along with these patches…. or has it?

Those annoying updates that we keep pushing off like the dirty dishes in the sink are crucial bits of code released to address a whole host of problems from minor bugs to major security flaws. Chief among these security faults is the rather ominously named Zero Day Vulnerability. These get their name because once they have been discovered, it has been zero days since the software designer has begun patching the fault. Zero-Day exploits are especially dangerous because there has been no time to develop patches or workarounds to mitigate their potential damages. The Window of Vulnerability (WoV), the elapsed time between when a patch is issued and when a exploit becomes active, will ultimately dictate the severity and prevalence of any given Zero-Day vulnerability.

With how far we have come regarding automatic patching and updating many may wonder if the threat from such an attack still exists. Unfortunately for us, despite all the advancements in patching technology the problem remains rooted in humans. Humans write the code for programs, humans develop the exploits, and ultimately humans are responsible for patching and implementing the patches. Each step in this process introduces the possibility of error and the severity of such errors or exploits only become more pronounced with time. The issue of patching has spawned the area of system management known as patch management. A person or group of people, in some case a piece of software, is responsible for testing, installing, and maintaining patches for a suite of software or applications. At times patching may seem like trying to collect sand with a sieve but vigilant implementation of patches is the best defense against bugs and exploits ruining your day. So next time you see that update notification, update now!

Share This Post

More from Dover

PublishedNovember 10, 2017

Mentioned on the blog before, explore the full technical report from DEFCON's Voting Village 

Software Security Hardware Voting