Updating software on employee workstations is a never-ending, constant process. Thus, you may simply lack the resources to keep updating all software. On average, dozens of new vulnerabilities are found every single day; accordingly, many hundreds and even thousands of patches for them are released every month.
This poses the question: what updates should be a priority? And there’s no simple answer to that. Patching strategies can be very different, and finding the one that works best for your company can depend on various circumstances. In this post, I share some thoughts on what software should be patched first — based on the potential risk of vulnerability exploitation.
Got any vulnerabilities on your system?
Some people believe that the number of discovered vulnerabilities speaks of the given software’s quality. Simply put, more bugs means worse software, and a lack of any ever reported means that software is great. These considerations then affect their choices of corporate software.
But this is, of course, a misperception: the number of detected vulnerabilities generally speaks of the program’s popularity, not quality. You can find bugs anywhere. And most of the time, bugs are discovered where people look for them. A company could get by using some long-forgotten software product just because nobody ever found any vulnerabilities in it. But that would be an unwise strategy: what if someone actually tries and succeeds in discovering a whole load of them right away?
In a nutshell, it’s not the number of bugs that matters, but how quickly patches for them come out and if they actually fix problems. Quick and regular patching is a good thing. While rare, sporadic releases — with the vendor trying to pretend that nothing bad has happened — are a disturbing sign; such software should be avoided.
Another good thing is when the developer runs a bug bounty program — even better if the program is open for everyone. A bad thing is a vendor threatening to sue bug hunters (yes, it happens more often than one would imagine), or worse: dragging people to court for reporting vulnerabilities.
But let’s get back to patching prioritization. The obvious candidates for the highest priority are operating systems. All-important OS updates must be installed as quickly as possible. The risk is self-evident: a compromised OS is the key to the rest of the computer’s software.
So if you use Windows, it’s in your best interests to at least look through the list of Microsoft updates on the second Tuesday of each month, and install them ASAP. But you should still follow the news: if a Windows patch comes out on a different date, it should be installed right away.
There are several solid reasons to prioritize browser updates. Firstly, browsers account for much of our digital activity these days. Secondly, browsers by definition interact with the internet, so they’re one of the first to be affected by any cyberthreats. Thirdly, attackers spare no effort looking for browser vulnerabilities, often succeed and quickly turn to exploiting them.
So try to install browser patches pronto. Additionally don’t forget to restart your browser after an update: until you do, the old, vulnerable version remains in use. Keep in mind that your system may have more than one browser installed. They all need timely updates.
And speaking of multiple browsers, there’s a couple of things to keep in mind:
- Internet Explorer: hardly any user’s free choice anymore, but this browser is still featured on any Windows computer — and needs timely patching.
- Many desktop apps (for example, messengers) are based on the Electron framework — technically a Chromium browser opened in a web app. Don’t forget to update them too, as they automatically inherit every Chromium flaw out there.
Attacks through emails with malicious attachments are a classic cybercriminal move. They mostly rely on infected files — especially Microsoft Office and PDF documents. This means that office suite programs’ vulnerabilities often serve as an entry point into the target company’s network. Therefore, you should pay close attention to office software updates.
In most cases, malware attachments don’t open themselves — somebody has to click on them. That’s why it’s important to provide information security training for your employees — for example, on our interactive educational Kaspersky Automated Security Awareness Platform.
It’s also a good idea to set up an internal communication channel with your information security department: on the one hand, to alert your employees about relevant threats and improve general awareness; on the other, to receive their reports on various suspicious activity, including in their email boxes.
As mentioned above, vulnerabilities can be found in any software — and security products are no exception. Antiviruses and other information security applications need lots of high-level permissions to operate efficiently, so a successful exploitation of a security solution’s vulnerability might cause very serious problems.
Security software developers are aware of the potential danger of such a scenario better than anyone else. Therefore, they try to promptly respond to reported vulnerabilities and release updates ASAP. Of course, promptness is equally important when installing those patches. We recommend monitoring your security products’ updates diligently and prioritizing their installation.
Work collaboration apps
One more software category that has earned special significance for office employees in the past decade requires special attention. I’m referring to work collaboration apps, such as Microsoft Teams, Slack, Confluence, and the like. In many companies these have gradually taken over a considerable part of business correspondence, file exchange, and conference calls.
Naturally, collaboration tools have become an attractive target for cybercriminals: they can usually learn a lot of juicy things from the content that’s transferred through collaboration apps. It’s important to keep these apps up to date with the latest security patches.
Here’s one more reason not to postpone updating your collaboration tools. As I mentioned above, every app based on the Electron framework is technically a Chromium browser — with all its vulnerabilities so popular among cybercriminals. And guess what? Electron is also quite a common framework for collaboration tools. For instance, it’s the backbone of the desktop versions of both Teams and Slack.
To protect employees’ computers from hacking at those unpleasant moments when a vulnerability has already been found but a patch for it hasn’t yet been released, be sure to use reliable protection on all corporate devices. By the way, a number of our solutions for business — including Kaspersky Endpoint Security for Business and Kaspersky Hybrid Cloud Security Enterprise — feature the built-in Kaspersky Vulnerability and Patch Management system that helps you automate and properly prioritize your software updates.