Most people may not know it, but security updates sometimes do more than just patch the specific flaw they were written to address, like unintentionally finding other flaws or exploits related to the current patch and fixing them up at the same time as well. So why is this bad for security?
Read on to find out more.
More does not necessarily equate to more, especially when computer security is concerned. Granted, obtaining the latest security updates and patches for an operating system like Windows is usually considered to be the minimum requirement needed to secure one’s PC from external threats, but a security company known as Core Security Technologies thinks that doing so makes for a potentially more dangerous scenario.
According to the company, the problem with security patches rolled out by OS manufacturers like Microsoft or Apple is that they sometimes end up doing more than fixing what is listed in their respective security bulletins by unintentionally discovering other flaws in the same batch of code fixing all of it at once.
While it may sound like an unexpected bonus to have one security patch fix up extra problems in the process, Core Security Technologies believe that the act of doing so may actually understate the importance of such patches, resulting in lesser attention being given to the more critical shortcomings.
The company also pointed out that if the security patches released by an OS manufacturer were specified to update minor issues but unknowingly ended up fixing more critical flaws, it might put users who choose to disregard such updates at a greater risk as the more important flaws will not be fixed.
In addition, it is feared that such patches might also open users to potential attacks. This is because patches are usually exploited as soon as they become public; thus, a hacker who has found a way to circumvent the patch may be able to exploit more than just the tiny hole which the update was supposedly created to fix.
That being case, does this mean that users should avoid patching their system to minimize the chances of having their machine compromised? Probably not. In fact, it should serve as a greater incentive for a user to consistently keep his or her machine updated, as even the most insignificant or unrelated update might end up having an ‘extra’ role in fixing additional shortcoming present in the OS. Even if it comes at the risk of potentially revealing a bigger hole for hackers to drive through.
Source: Ars Technica