When it comes to software, there are two rules:
- Rule #1 - No piece of software is perfect.
- Rule #2 - If you think that new software package installed on your system does not have any hidden flaws, see Rule #1.
Every piece of software, whether it is an operating system, a database system, a networking system. an application, etc., will occasionally need to be updated to correct flaws that have been uncovered. Usually, the software vendors will do their best to address flaws in their products in a timely manner. Once they have tested the corrected version of their software, they make that version available to their customers. It is then up to their customers to actually update their individual computer systems.
Some of the flaws that are uncovered weaken the security of the system. For example, due to a flaw in the code, the software inadvertently may allow someone who has user privileges to upgrade their privileges to the administrator level without authorization or a valid administrator's action.
What happens when a vendor releases a security update?
If the vendor releases a security update for one of their software products, savvy individuals who are intent upon compromising systems and information will often do the following:
- Isolate and analyze the code change by comparing the old and new versions of the software to determine how the flaw that was corrected had previously weakened security
- Develop a program to exploit the security flaw that was corrected
- Probe all of the devices connected to the Internet to find computers, tablets, smartphones and other devices that have not yet been updated
- Run the exploitative software that they developed on the systems that they found to be unpatched during their probes
The software that the malicious individuals develop could include code to read through your hard drive, make your hard drive unusable by encrypting it, make your system attack other targeted computers, insert a back door into your system for future exploits, etc.
With the amount of intense effort being expended worldwide by the thousands of individuals intent upon compromising systems and information, the time between an update being released and a related exploit hitting the Internet is becoming shorter and shorter - in many cases, no more than a couple of days.
How updates are applied to University-owned systems
Microsoft software on University-owned computers is automatically updated through a service called the Windows Software Update Service or WSUS. One every month, Microsoft releases updates to their software products and makes those updates available to organizations that use WSUS or other patch management products. Upon receipt of those updates, the Office of Information Technology (OIT) staff will set up WSUS to install the updates on a test system to ensure that they do not conflict with any other pieces of software that we may run. Once testing is successful, OIT directs WSUS to deliver the tested updates to participating computers. The most that users usually see is an indication that the patches are ready to be installed and a request to restart their computer to complete the updates.
Non-Microsoft updates may be applied in one of two ways:
- Some vendors, such as Apple, Mozilla, allow each user to select an option that will automatically apply new updates to his or her system directly from the vendor
- Others products, such as those from Adobe and Oracle, particularly Java, require more a direct, manual effort to apply the updates
In both of the above cases, administrative privileges to your computer are required to apply the updates. If you do not have administrative access to your computer, please contact the OIT Support Center at extension 2828 or firstname.lastname@example.org and a member of OIT Tech Services will apply the updates for you.
OIT is currently evaluating patch management software that will apply updates automatically to most of the products that are installed on University-owned systems. Once a patch management solution is implemented, direct administrative access to your computer will not be required for the updates to be applied.
Updating software on your own computer
As stated above, many software products can be configured to be updated automatically
as soon as the update is released. It is strongly recommended that any software product
installed on your system that provides an automatic update function be configured
to use it. In cases where you would like to control when the update is applied, you
may update your system manually, but please do so as close to the update's release
date as possible. Additionally, some updates do not take effect until your system
is rebooted, so after an update is applied and you are prompted to reboot, please