We very often think of system updates in terms of updating our computer's operating system - which is indeed essential. However, the software applications that run on your operating system, like word processors, spreadsheets, web browsers, and email clients, present their own security challenges.
To better understand the impacts of unpatched software, let's discuss two examples:
Web Browsers. Web browsers work by downloading and interpreting software code from an unknown third party (server). It is up to the web browser to decode and present that software code properly - often resulting in presenting a web page. Using this knowledge, attackers can create website code that attempts to trick your browser into stealing data, downloading malware, and various other security attacks. Keeping your web browsers up-to-date is one of the easiest and best ways to prevent these kinds of attacks, along with anti-malware software and some common sense.
Office Products. We don't often think about it like this, but office products like PDF readers and spreadsheet applications work in much the same way as a web browser. A PDF file, for example, is simply software source code that a PDF viewing application decodes and displays. Because of this, it's possible to create PDF documents that attack your computer - similar to how a malicious website would - by embedding malware and other malicious code inside the PDF document itself. Once again, ensuring your office products are up-to-date, long with anti-malware software and some common sense, goes a long way towards preventing these kinds of attacks.
All software presents at least some risks to your organization. As much as software engineers try, there are almost always security "bugs" that must be corrected in an update (also known as a patch). Creating security patches for software isn't particularly enjoyable endeavor for a software engineer, but patches are created because they're necessary - and we apply those patches out of necessity, as well.
As a standard policy, we recommend that all critical security updates be applied within seven days, and all other non-critical patches within 30 days. For most small businesses, allowing automatic updates to do their job is the best course of action.
For more information on this topic, please reach out to us; we’re here to help!