Software patches fix existing vulnerabilities or bugs as they are found after a piece of software or hardware has been released. There are several types of patches:
- Hotfix – A hotfix patch is designed to fix a specific issue and unlike typical patches, these hotfixes are developed and released as soon as possible to limit the effects of a software issue. Hotfixes can be applied while the software or system is still running (hot), without the need to restart or close the program. A hotfix may not be publicly disclosed.
- Point Release – A point release (also known as a dot release) is a small or relatively minor update intended to fix an error or flaw of a piece of software without adding features.
- Maintenance Release – Incremental update between service packs or software versions to fix multiple outstanding issues
- Security Patches – A security patchis a change applied to an asset to correct the weakness described by a vulnerability. This corrective action will prevent successful exploitation and remove or mitigate a threat’s capability to exploit a specific vulnerability in an asset. Patch management is a part of vulnerability management – the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities (security risks).
- Service Pack (SP) or Feature Pack (FP) – Major patches that comprise a collection of updates, fixes, or feature enhancements to a software program delivered in the form of a single installable package, these typically fixe many outstanding issues and normally includes all the patches, hotfixes, maintenance and security patches released before the service pack.
Most of us are familiar with Windows Service Packs, for example Microsoft began rolling out the Windows 10 Version 1903 Update service pack on May 21, 2019, which became available to all users on June 6th. Microsoft Windows 10 Version 1903 introduced privacy setting updates, more control over how Window updates are applied, a sandbox for professional users, passwordless login, screen mirroring for Android phones, enhanced troubleshooting and security features.
- Unofficial Patches – These patches are created by a third-party or a user community, most often because of a lack of support from the original software developer (e.g. the software company went out of business) or when a software product has reached its defined end-of-life.
Like an ordinary patch, these are designed to correct bugs or software flaws. Nefarious individuals can introduce unofficial patches to create security vulnerabilities; while this is rare and quickly reported, we recommend only installing patches from trusted sources and for businesses to avoid unofficial patches.
- Monkey Patches – Similar to unofficial patches, a monkey patch (also known as a guerrilla patch) is an update designed to extend or modify the behavior of a plugin or software product locally without altering the source code.
Patches are designed to repair a vulnerability or flaw identified after an application or software is released. As we’ve learned, there are many types of patches. For this article, we’ll focus on official patches (hotfixes, point releases, security patches, and service packs).
Unpatched software can make the device a vulnerable target of exploits. Software patches are a critical component of IT operations and security.
Patch Vulnerabilities by The Numbers
- 57% of data breaches are attributed to poor patch management. Source: Ponemon
- 37% of breach victims confirmed they don’t scan their systems for vulnerabilities. Source: Service Now + Ponemon Institute Study – Today’s State of Vulnerability Response
- 48% of 3,000 businesses surveyed reported one or more data breaches in the last two years. – Service Now + Ponemon Institute Study
- 34% of breach victims knew they were vulnerable before they were breached. – Service Now + Ponemon Institute Study
- 74% of companies can’t patch fast enough because they don’t have enough staff – Service Now + Ponemon Institute Study
- 65% of businesses state that it is difficult to prioritize patches. – Service Now + Ponemon Institute Study
- According to Edgescan, the average time to patch high-risk vulnerabilities increased by 22.9% from 64 days in 2017 to 83 days in 2018. Source: Edgescan Vulnerability Stats Report 2019
- 16,555 security vulnerabilities were released in 2018. Source: CVE Details
- 92%: Percentage of web applications with security flaws or weaknesses that can be exploited. Source: ImmuniWeb
- 82% of employers report a shortage of cybersecurity skills, and 71% believe this talent gap causes direct and measurable damage to their organizations. CSIS – Cybersecurity Workforce Gap