Where were you when WanaCryptor surged around the globe? The highly virulent self-replicating ransomware (a ransomworm, of sorts) swept across most of Europe, the Middle East, and Asia, encrypting valuable and important files in the process.
The response was swift, as it had to be. But the infection still hit over 200,000 systems around the world, some in mission critical infrastructure. As such, Microsoft issued extra security patches for Windows XP, Windows Server 2003, and Windows 8.
Patching is usually the most efficient method of eradicating a glaring security issue — except for when, in some cases, it goes wrong.
Don’t get me wrong. Patching is secure. It will keep your system safe. But there are certain ways of doing it that ensure you don’t make a bad situation worse.
There is a reason I led with the WanaCryptor story. In the post-infection hubris, a huge number of major organizations were attempting to patch their networks. While Australia was largely untouched by the ransomware, a number of hospitals connected to the Australian State of Queensland’s integrated electronic medical record system suffered outages after patching to protect against infection.
Queensland Health installed system-wide patches released by Microsoft, Citrix, and practice management specialists, Cerner. The patches rendered several patient record systems useless.
Broken patches aren’t new. Nor are they limited to a single industry, or system type. For instance, a Windows 10 update in December, 2016, was quickly patched after the initial update broke networking. That Microsoft has switched to a deliberately vague patch note system makes the introduction of a new, unspecified issue all the more frustrating.
Unfortunately, gamers more than any other group understand that a patch isn’t always welcome. To be fair, the impact of a game-altering patch isn’t quite as significant as a patch that breaks a medical system. However, it still causes distress for those involved.
Apple isn’t above patch issues either: an iOS 8 update was plagued with reports of fast battery drain, Wi-Fi drop-outs, random reboots, and more.
So I Should Stop Patching?
Absolutely not. As I mentioned, a patch is often the quickest, safest, and easiest method for companies to rectify any number of issues. Again, consider a newly released game. Quality Assurance testing seems to be on the wain in the 21st Century and buggy new releases are becoming de rigueur. The frequency of major patches on Day Zero or Day One is rising. In this instance, if you don’t patch, your game remains a buggy, potentially unplayable hellhole (not to mention a patch might make your save incompatible with other features at a later date).
“To patch or not to patch” isn’t a question we should have to ask ourselves — but, unfortunately, we do. Especially in scenarios involving older, outdated hardware (sometimes mission critical), or when there are more than a handful of computers at stake. The result of a patch gone awry in these situations can see entire organizations taken offline. At their very worse, a patch will introduce a new vulnerability. Why then does it seem that more and more major companies are delaying the introduction of updates marked “important” or “critical”?
Time Your Patch
Patch-phobia is nothing new. Before Windows 10 introduced mandatory updates, people would leave their system unpatched for months at a time. I know, I was one of them. And while Microsoft enforce their update system, they have allowed users some leeway. Not freedom of choice, mind.
3 easy steps to make your operating system secure:
— Jakub (Kuba) Sendor (@jsendor) May 19, 2017
The way not to deal with a patch is sticking your fingers in your ears and shouting “la la la.” Ignoring a patch for too long is, well, daft. However, timing the installation of patch is sensible. A large IT department might have the luxury of a test system. Furthermore, large, system-wide patches usually arrive later for enterprise and business solutions. But a small business doesn’t have the same redundancy.
In this case, the “wait and see” approach brings some benefits. Other users will install the patch first, and their systems will illustrate any horrendous bugs or breakages. In a similar vein, if there are significant issues, the patch vendor might rectify those issues before you install.
The balance lies in the evaluation of the importance of a specific patch. Can you afford to let another person or company be the guinea pig (potentially creating a semi-permanent zero-day situation), or is it an instant, imperative installation?
How to Patch Safely
Again, we are not advising anyone to steer clear of patching. Vital security and system updates arrive via patches. Windows was a much more dangerous operating system before the introduction of forced updates. As with vaccinations, herd immunity works best — and simply put, people weren’t helping the herd.
Of course, you want to patch safely. Here’s how:
- Patch notes. Linux and Apple users can read patch notes as they hit the internet. Linux users are rarely, if ever forced to patch their system. Apple have only released one automatic patch (in response to the massive Network Time Protocol error back in 2014). Windows 10 users aren’t so lucky. The Windows 10 Creators Update did introduce a new Pause Update button, but that only provides a momentary stop-gap (up to seven days). It might, however, be enough to miss a bad patch, or at least a bad patch swiftly updated. In addition, Microsoft has all but removed detailed patch notes from the equation. (But you can try to find out more.)
- Virtual machine. Perhaps not an option for everyone, and again, Windows 10 users are likely working within a limited time-frame, but a installing a patch to a virtual machine running the same operating system can help with bad patch identification. A Windows 10 user could set their main system to Pause Updates for seven days, download the patch, and install in a virtual machine. If everything works, you can patch your main system.
- Make backups. One of the easiest ways out of a bad patch is to roll back to your last known good setup. It is a good idea to create regular backups of your system anyway, and this is another great reason.
Hope for the Best…
…but prepare for the worst. It is an adage that works quite well when we consider unknown patch territory.
If you’re preparing for the worst scenario, you’ll only be mildly surprised (or irritated) when that scenario lands on your keyboard.
Have you had a patch nightmare? Were you forced to update, or was it something you installed yourself? Do you regularly pause your Windows 10 updates? Let us know your patch-tips below, or share this article on Facebook or Twitter and continue the conversation there!