Patch

Description
A patch is a piece of software that is developed to fix a vulnerability in software or hardware. A patch may be released on a regular basis or only when a vulnerability is discovered and needs to be fixed undefined. A patch is not always a security related matter. A patch can add additional features to an application, fix errors and functionality issues in applications and hardware, and also improve performance.

History
Patches have been playing a role in computer systems for nearly 80 years where program tapes would have their punched holes covered by a physical patch to change the output of the tape undefined. As computers started becoming more digital, patches were replaced in the form of software, and not physical patches. Initially the developer would have to bring the patch on a disk to be run on the system that needed the patch, and in some cases the disk would have to be run one each system, one-by-one, until all necessary systems were patched.

At a later stage patches would be sent to the user via email and the user, would then run the patch on their system, and with the introduction of the internet, it was soon possible for users to go to the developer's website and download the necessary patch. As of 2000, with Windows ME, operating systems were able to get automatic updates which allowed users to receive patches automatically and periodically from the developers. Depending on the configuration, these patches could also run and install themselves on the system without the user having to do anything other than restart the system if necessary. This made it easier for less technical individuals to keep their systems updated with the latest patches.

Around the same time, software often still required the user to manually download and install the patches from the developer's website. But today, most applications have the option to automatically check the internet for the latest updates, download and install them.

Types of Patches
A patch is often a general term used but there are various types of patches that can developed, and the type of patch is usually determined by its purpose.

Hotfix
A hotfix is usually a single fix designed to address a particular problem within a system and is not released periodically. This patch usually gets emailed to the user or has to be downloaded from the developer's website, however there are rare cases where a hotfix is sent automatically, most likely in the event of large-scale emergency. Hotfixes can also come bundled in service pack updates undefined.

Point Release
A point release is often a minor patch release mainly focused on fixing small issues in an application and plays a significant role of application versioning (i.e. from version 1.0 to version 1.1) undefined. This is also the most common form of regular or periodic updates, where larger patches come once every few weeks or months. With many applications, especially large complex ones, there are too many bugs to fix at one time, therefore the point release patch is released frequently fixing a few bugs at a time.

Security Patches
A security patch is a patch specifically designed to fix a vulnerability within an application. This is regarded as the most important type of patch to implement as it protects the system from attackers exploiting these vulnerabilities in order to carry out malicious acts.

Service Pack
A service pack is a collection of patches and hotfixes and is often used to fix a large number of issues of various types, improve the system and even add additional features. It all depends what the developers bundle in the service pack. Service packs do not come out as frequently as point releases and only come out occasionally when the developers see it necessary undefined. There is also a higher chance of patch errors to be present in a service pack than it is for a point release patch because of the size of the patch. It will take longer to download and install and therefore there is more time and possibilities for the process to fail.

Third-Party Patches
This type of patch is often developed by individuals other than the actual developers of the system. This makes the patch unofficial and in some cases not recommended to use. There are possibilities that the patch may not work or may damage the intended application or may contain malware. Often individuals develop these patches for computer games so that the user does not need to run the game from its disk, however in some countries this violates end-user license agreement conditions and therefore violates the law.

Importance of Patching
An alarming number of users do not see the importance of security patches nor feel an urgency to implement the latest security patches. In the past there have been a number of devastating and costly malware outbreaks as a result of people not installing security patches. Some malware outbreaks for example are WannaCry, Conficker, and NotPetya which totaled billions of dollars in damages world wide, which could have been avoided if more individuals and organizations kept their security patches up to date. And with each of those attacks, the patch for their respective vulnerabilities were available long before the malware was developed.

Many individuals ignore patches on both their systems, and the more patches that have not been installed, the more vulnerable the system is to malware or a cyber attack. Almost all attacks that take place involve exploiting known vulnerabilities and hence most attacks can be avoided with a simple software patch undefined. Given that a large number of malware attacks require user interaction to get triggered, an unpatched system and a user with poor security knowledge creates the perfect environment for a malware outbreak.

Even though patches help keep systems as secure as possible by fixing vulnerabilities, the NotPetya attack on 27 June 2017 used a new method of initial infection. The attackers who authored the malware breached the servers of a Ukrainian software company which developed a tax preparation application called M.E.Doc, which is widely used across the country. The attackers were able to get on the servers and alter their latest software patch before it was released and embedded the malware in the patch undefined.

When the patch was released, the users who received the patch installed the patch and the malware installed as well. From there NotPetya was able to propagate by itself and spread on a global scale. Given that the update was legitimate, the users were completely unaware of the malware embedded within it. However a large number of systems were still not patched against the SMBv1 vulnerability which was one of the propagation methods NotPetya used, and this vulnerability was made famous by the WannaCry outbreak a month prior and many organizations still did not patch their systems.

Malware can range greatly in severity depending on what they do, but occasionally there will always be that one massive global outbreak of the next destructive malware, not patching your systems leaves you open and vulnerable to attacks which may result in huge losses, and as it has been seen numerous times in the past, patches often become available before the malware they protect you against is released.