Dr. Gerry Santoro
Founding Associate Professor
System and Application Patches
It can be useful to think of any computing device as consisting of three layers of technology.
layer is the hardware
ual physical components of the compute
programs that allow that hardware to interact with other hardware.
The second layer is the operating
This basic layer of software integrates hardware functionality
services such as user interface,
file structure, memory management, and basic utilities such as
The third later is comprised of various user applications such as word processing,
music/video players, Web browsers, and the user data associ
ated with these applications.
The hardware layer is generally fixed.
The only way to alter the hardware is by removing and installing
new hardware components.
In today’s IT
it is generally easier for the user to purchase a newer,
more powerful, set
is more convenient to users, it has created
a problem with
the disposal o
f outdated hardware
. As a result,
many communities offer services to recycle or properly
dispose of outdated electronics.
The operating system is
work closely with the hardware.
versions of operating system
available for desktop, laptop
and tablet computers: Microsoft Windows,
Apple’s OS, and Linux. There are also
primary operating systems available for mobile d
and Google’s Android
and Windows 8
A major function of the operating system is to
mediate between user applications and the hardware of the computer, so a user acquiring an
application or hardware peripheral need only be concerned with
the operating system of their computer
and specific features such as available memory, storage
and input/output ports.
layer, applications, is
the programs that provide the functionality the user desires.
user will want certain app
and will purchase a computing device, along with its associated
operating system that will support those applications.
most applications have versions that will
run on all popular operating systems
so the choice between, for example, a Ma
cintosh and a Windows
computer depends more on user preference for that vendor than on the availability of specific
The operating system and the applications on any computing device
In some c
these are due to the design of the software
design that provides convenience to the user may actually be exploited by malware.
these vulnerabilities result from software bugs, such as the buffer overflow
ere software array
bounds may be exceeded and legitimate programs
overwritten by malware.
Unfortunately, it is not
possible to guarantee that any piece of software more than a few lines of code in length is bug free.
, software developers ty
pically worry about functionality and performance, and
As a result, all operating systems and most applications will periodically receive security and
, which are also
Organizations such as the U
Computer Emergency Readiness Team (CERT) release frequent lists of known vulnerabilities along with
Companies that develop operating systems and
The major pr
oblem with OS and application
many people do not take the
download and install them
This is dangerous
. As soon as
vulnerabilities are announced
available to hackers and malware developers.
This would be like someone an
nouncing at a party that
they were outside and saw that
left the windows to your car open and
keys on the driver’s
While the announcement is important for
it also has notified every possible criminal that your
car is vulnerable.
y if you immediately go to your car, retrieve the keys, close the windows, and lock
the car is the risk of theft mitigated.
Why would someone ignore
In many cases
people are busy
and do not want to stop what they
are doing to install the patch
the work of
is multiplied across all applicable
the risk is not perceived as immediate, the user
can accept deferring the
for a later time.
In most cases
installing a patch is as simple as
downloading the installation file
and running it. In some cases applying a patch will require that you provide your computer’s
Considering how easy the process can be, it is surprising that many users leave
their applications unpat
In the case of Microsoft Windows and Apple
the user need only turn on the system option to check for OS upgrades
The user can
then elect to install
the patches manually
which is as simple as being connected to the Internet and
clicking on a button
. The user may also
allow the computer to install them automatically.
recommend the second option to ensure that OS
s are installed as so
on as they are released.
should consult the help information for your specific OS version to see the steps for doing this.
If you have a laptop computer or a system that is only occasionally used, it is a good idea to turn it on
occasionally (once a mo
nth) specifically to allow it to download and install appropriate OS
problem with having a system unused for too long is that the number of
will accumulate and it
could take hours for all of them
to be downloaded and installed when you
do finally turn the computer
on and connect it to the Internet.
Many security vulnerabilities are based in specific application programs or application runtime systems.
An example of an application vulnerability is a memory corruption
flaw in Microsoft Internet Explorer,
reported in April 2013, called a
allows an attacker to inject and
execute arbitrary code on your computer. This essentially gives the attacker administrative control.
An example of
an application runtime system vulnerability is the set of multiple vulnerabilities
discovered in Oracle’s Java runtime engine (various versions) in late 2012. These vulnerabilities also
permit the execution of arbitrary code on your computer. These vulnera
bilities were so severe that the
Department of Homeland Security issued a warning for users to disable Java on their Web browsers.
Companies that produce applications will periodically issue security upgrades for their programs
remove identified vulnerabilities
. In some
the program will check a
utomatically for upgrades and
notify the user that action is required.
it may be up to the user to check with the
In the latter case, most vendors will maintain an e
mail list so that they
can notify the use
In general, the more popular an application is, the more likely that vulnerabilities will be discovered and
called vulnerability scanners automatically scan a computer or network and
vulnerabilities including unpatched applications.
These programs are generally used in a business or
organization with networks containing many individual desktop and server computers.
scanner works much like an anti
gram, but with a twist.
While an anti
malware program uses a database of malware identification strings and scans files looking for these
strings, a vulnerability scanner starts with a database of known vulnerabilities and scans applications
and OS compone
nts looking for unpatched vulnerabilities.
There are a number of free and commercial vulnerability scanners available for individuals and small
businesses. One popular commercial scanner for business use is Nessus
, which supports multiple
and comes with frequent updates and support.
A popular scanner for individuals is
Secundia PSI, which runs on Microsoft Windows and scans for vulnerabilities in third
Regardless of the approach you select, it is important that
you ensure that your computer’s operating
system and applications receive the
patches that are issued.
OS patches are, by far the most important,
but are not sufficient
Patches for applications such as Adobe, Microsoft
ct you from vulnerabilities.
once a vulnerability has been announced
every hacker in the world becomes aware
Diligence in applying OS and application patches will help to protect your system from infection
and your data from corrup
tion or theft.
Sidebar for small businesses
Patch management is a major issue for businesses.
do not have an
effective patch management strategy, or do not allocate the necessary resources.
Small business IT
be sure to exercise control over which operating systems and applications are
installed on company systems
bring your own device (
systems that are permitted access
to company networks.
IT staff should carefully monitor for patches and apply t
hem to all systems as soon as they are available.
this may be done through use of a commercial vulnerability scanning service or the
installation of vulnerability scanners.
it may be sufficient to check
vendor notifications o
vendor Web sites for announcements.
Vulnerability summaries, such as those published by CERT, can
also be an important source of information.
Managing vulnerability translates to managing the window of risk opportunity. While it may not be cost
to eliminate all vulnerability, it is certainly possible to reduce the amount of risk to an
a Personal Software Inspector:
CERT Vulnerability Bulle
age on Vulnerability Scanners:
ion to vulnerability scanning:
ssentials of patch management: