Usually I try to figure out a pithy title as a draw, but for the love of whichever entities you respect and/or follow, please do your software updates. Specifically do your platform updates: on your iPhones/Pads/Macs, on your Windows machines. Update your apps. When the little red notification comes on, do not ignore it, just do it.
How to Update
- Updating on Apple (iPhone/iPad): https://support.apple.com/en-us/118575, and includes how to set this up to do it automatically.
- Updating on a Mac: https://support.apple.com/en-us/108382
- Updating on an Android phone: https://support.google.com/android/answer/7680439?hl=en
- Updating on a Samsung Galaxy phone or tablet: https://www.samsung.com/us/support/answer/ANS10002027/
- Updating a Windows device: https://support.microsoft.com/en-us/windows/install-windows-updates-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a
(If you have other devices/platforms just use your handy dandy search engine — I use Duck Duck Go — to identify how to get your updates in a timely fashion. Bonus points if you set it up to automatically do it.)
Why Update
There are some that believe the updates are for feature funsies: e.g., if I update my phone I will get the new AI this or the new UI that. This is true, for most “regular” updates there are some feature releases and you get to read all about those (and decide if you like that or not). There are also “bug fixes”. I feel like this does disservice to what those fixes are: if I think of a “bug” I think of “annoying thing that happens”, I do not think of “wide open gaping hole for bad actors to waltz in through”.
Your platform updates often include security patches. These patches are, for the most part, NOT because the engineers made a mistake when crafting the platform, rather, they relied on packaged convenience libraries to do some standardized work and *it is those libraries* that have problems. Think of it like this: the engineers baked the cake, but the problem was hidden in the flour they used, and would not have been visible when they baked the cake and someone found out the flour had something in it long after the cake has been baked.
This happens *all the time*. There are thousands, probably millions of little packed up conveniences in the software world, because writing something *from scratch* takes a very long time and it’s kind of silly if someone has already done it (and done it so well that All the Other Kids are Using It). When a vulnerability is discovered in a package, it is given a CVE number (Common Vulnerabilities and Exposures), and a detailed write up on what the vulnerability is, where it is, and oftentimes suggestions on how to fix it. Companies worldwide use MITRE’s CVE database to understand what and where those vulnerabilities are, and how to fix them, so they can iteratively update their software and further secure it. Vulnerabilities are discovered by engineers around the world, sometimes on their own time, and sometimes on their company time: they are written up and shared with package users to make sure they get fixed.
How Bad Can it Be?
A vulnerability or exposure has roughly four stages of severity: low, medium, high, and critical. YOU as the consumer don’t really know which basket of vulnerabilities is addressed in “bug fixes”, but the company you depend on does: high and critical vulnerabilities, and their address, are often why you get off-cycle security patches (ever had an update on your phone that seemed awfully soon after the last one?). These vulnerabilities are “publicly disclosed”, meaning, their existence and how they can be exploited is also disclosed. The analogy here is: there’s a catalogue of all barn doors that are unlocked in your area, and anyone who uses those barns should be aware of that, and the barn owners should be aware of that, so the barn owner can lock the door. This also means that bad actors (who, let’s face it, are probably serially trying all the barn doors through the area anyway) who are lazy and did not do their homework now have a legit directory of which barns are probably unlocked.
Hence the haste.
These vulnerabilities are discovered and there is a Very Short Window in which the companies that use them can get a heads up on fixing them and getting those fixes out before they show up in the public discourse. (Meaning, the CVE doesn’t show up formally in the MITRE database until which time as the organizations and libraries dependent on fixing it have at least had a *chance* to fix it). This means that the original discoverer(s) of the exploit know how to break in, but it isn’t available to everyone else to see: that happens after (theoretically) everything has been fixed.
“Everything has been fixed”, in this case, means that your software has been patched and updated, *or you have been asked to do an update*.
If you wait, and the longer you wait, the more exposed you are.
Modern convenience often comes with modern inconvenience: we have computers that are smaller than our hand that literally tether to all global knowledge, they help us stay in communication with others and they help us track our lives and livelihoods. They also are fragile and need care and feeding, and it can be easy to defer it in light of convenience (“oh, I won’t do the update now because it will take too long, I’ll wait until ‘later'”). Please. Don’t wait until “later”.
Bobbie Conti 
[…] of the questions I have fielded since Do Your Updates is best distilled as “why can’t developers do it perfectly the first time”. Aside […]
[…] have told you to Do Your Updates, twice. A good example of why is the recent news about supply chain attacks in popular npm […]