My last article about expiring Windows 7 and Windows Server 2008 (R2) support has started a Facebook discussion, where comments to not to update have appeared. On the other hand, we hear from the media that updates are almost “vital”. It seems like a great topic for discussion and I would like to contribute with my perspective and experience.
Updates generally bring new features and bug fixes (both security and functional). Updates are almost always cumulative, meaning that each update contains everything from the previous update + something extra. I.e. if I skip the updates for 5 months and install the latest update for the 6th month, I will get the most up-to-date program (which also includes the previous updates).
There are 3 ways to deal with updates (see next chapters):
- You install all updates that are released.
- You skip some updates.
- You do not install updates at all.
You can select a different mode for each device/program.
1. Regular updates
Installing updates as soon as they are available, possibly with a few days delay, to allow time to test update functionality.
Advantages of regular updates
The greatest benefit of this approach is in my view the security. Most updates fix SW bugs (some updates only add functionality). The sooner you install the update, the better.
Releasing the update increases the likelihood of exploiting this vulnerability. Asking why? This is because the world learns that there was a bug in the application and of what type (from release notes or changes in the source code). The person that discovers this bug often writes an article describing the bug (a question of prestige), including a demonstration exploit (PoC – proof of concept). If the bug was really ‘juicy’, it is likely that cybercriminals will start abusing it.
The larger the business, the greater the system dependency (eg, authentication within a single Active Directory) (computers/servers/ programs). The exploitation of a bug on a single PC can lead to a chain of events (lateral movement) which results in the unavailability of the entire network in tens of minutes (THE UNTOLD STORY OF NOTPETYA, THE MOST DEVASTATING CYBERATTACK IN HISTORY)
Yet another benefit of regular updates (less important for me) is the immediate availability of new features that often come with updates. For example, Apple or Tesla fans are waiting to see what their devices can do with the next update.
Disadvantages of regular updates
Regular updating is perhaps the most laborious, and therefore the most expensive, approach. There will occasionally be several product updates per week (extreme). At the same time, most updates require a restart of the program/system and that can not always be done during the day.
At the same time, I must say that not all updates work. Either something goes wrong during the update, or it is found that the update fixes some bugs but also brings new ones after a few hours of operation. 🙂
When to update regularly
Being the safest approach (in case not updating MeDoc 😉 ) it does not mean that this approach is correct at all times. 🙂 When choosing an approach, it is necessary to consider its time hence financial complexity, concerning imminent risks (what would happen if the system was broken into and data were stolen/deleted). You would not get your dog an atomic shelter instead of a dog kennel, although it is the safest solution.
We choose this approach for programs where we perceive the greatest risk (according to the probability of abuse and the magnitude of the impact). This mainly means programs running publicly available services (mail servers, web servers, databases, VPNs), server/computer operating systems and web browsers (a lot of malware gets through them – they are interpreters of foreign code). 🙂
2. Selective updates
Regularly monitoring information about newly released updates, browsing “release notes” (information on what the update does/changes) and make decisions about installing or skipping the update.
I certainly would not call selective updating checking updates every 4 months when someone remembers that they have not updated anything in a long time. 🙂
Advantages of selective updates
Slightly less work (because you don’t have to install every update) and higher uptime (no update => no restart + no risk of new bugs with the new updates). You will have more time, lower costs for the customer and all parties are satisfied. 🙂
Disadvantages of selective updates
Security may not be at the same level as with regular updates. A software manufacturer occasionally finds a serious security vulnerability, quietly corrects it and does not adequately comment in the release notes. You then skip the update because you don’t think it is necessary. From the top of my head eg. „Attacking SSL VPN – Part 1: PreAuth RCE on Palo Alto GlobalProtect“ or „QNAP fails to reveal data corruption bug that affects all 4 bay and higher NAS devices“.
You need someone experienced to browse release notes to evaluate the meaning and impact of each item. Such a person may not always be at hand. :-/
When to update selectively
In my opinion, this is the method where you can maintain the highest availability of services (except for isolated systems, where it may be worth not to update at all). If the program/device does not require the highest level of security, then this is the method to choose.
This is how we update the FortiGate security routers. We have some experience that updates often bring errors that exceed the fixes. So we always choose, based on the release notes, whether the update is worth it or not. Then we test it for a few boxes for a month before moving on to the rest.
3. Not updating at all
No person is updating. Updates are not installed at all, they are installed randomly, or through the “auto-update” of the program without back-checking. Also known as “If it works, I’m not touching it“. 🙂
Advantages of life without updates
The main advantage is simplicity. It takes no time to not to update. At the same time, one avoids outages caused by reboots after updates. I am also not affected by the complications caused by updates (broken updates, new bugs in updates).
Disadvantages of life without updates
The number of discovered and unfix application errors increases over time. At the same time, there is a greater risk that something bad will happen (depending on how the program/computer/server is exposed to the network and how the user interacts with it). This then means reinstallation/restoration from backups and several hours of downtime.
Likewise, omitting some updates can affect program functionality (the program makes errors in data, can’t handle data growth), HW health (for example, the 6th Intel NUC generation had a bug in CPU power management that caused their death – https://downloadmirror.intel.com/28825/eng/SY_0071_ReleaseNotes.pdf BIOS version 42) or HW performance (for example Samsung Releases Firmware Update to Fix the SSD 840 EVO Read Performance Bug).
Not updating also creates something that I would call a “technological debt“. After some time, the programs and the operating system become so old that computers cannot run new versions of other programs, transfer data between the systems, or access web/mail (eg missing SMBv2, TLS 1.1+, old .Net). If we then update a component (dependency), it will make a new application operational, but we will make another old application unavailable. Similarly, problems can arise: upgrade cannot be done directly, one cannot get old versions of applications, one can not contact developers of an old version of the program, no one wants to have anything to do with the old version of the program. 🙂
When not to update
Of course, choosing to not update an application/system is okay. What is important, however, is the word ‘choose‘. It must be a rational decision, after weighing the pros and cons, and not because of laziness.
We also have a couple of ‘don’t touch’ systems. These are production control systems where there is no space to perform maintenance, downtime costs a lot of money and the system supplier no longer exists. In this case, we have systems isolated from the rest of the environment (so that they do not affect each other) and we have made copies of the systems (in case of recovery from an SW/HW problem)).
What updating/not-updating strategy did you choose? I feel that (not) updating is an eternal topic for discussion, so I am curious about your views. Please share your comments and experience.