Operating system updates or more specifically operating system patches – some operating system vendors call their patches updates to help add to the confusion – are exceptionally irritating when you investigate what they are. To bring in a foolish analogy (as everything needs), operating system patches are roughly the same as a car manufacturer issuing a recall notice – varying from “please bring in your car sometime in the next month to get the cupholders replaced”, to “please don’t drive your car until we’ve picked it up and returned it after fixing the brake software”.
It is rather extraordinary that in many cases you have to pay to obtain access to the operating system patches, and in fact that people actually pay real cash for operating systems that require this number of patches. After all a car manufacturer that issued 9 different recall notices in a single day and repeated this time after time would quite quickly go out of business. As an example of how bad things can be, some patch details from a recently patched system :-
|Age||Number of patches|
I could go on with further details, but it is rather too depressing – on the day after the vendor released 9 patches they released another patch, and yet another the day after.
So What Are The Patches ?
Patches vary from fixing problematic conditions found when using certain bizarre combinations of hardware and software (such as running an older release of an operating system on newer hardware), to plugging security holes that have been discovered. One thing that they all have in common is that they are fixes to the operating system.
They essentially repair parts of the operating system so that it functions according to how the operating system is specified. Or to put it another way, they do not add in any functionality changes. In this they differ from application patches which often require extensive testing to ensure that the application still functions as expected; whilst everyone hopes that the operating system vendor performs extensive patch testing, the need for site-based patch testing is a great deal less than for application patches.
As the saying goes, “If it ain’t broke, don’t fix it”.
Well firstly the idea that an operating system isn’t broken just because it is still running is essentially wrong – the fixes they have included in the patches are perhaps for conditions that do not occur every day, but they are still fixes which means that the operating system is broken.
As a special case of “broken”, some of those patches are to apply security patches to an operating system to fix security holes that could be potentially used by an attacker (who could be on the “inside”) to break into a system. In this case, not patching could be considered to be somewhat negligent and the old method of exclaiming “Oops!” won’t keep the Information Commissioner too happy.
Lastly, the longer you leave a system without patching it, the harder it becomes to patch – apart from anything else the list of patches keeps getting longer!
Or to put it another way, it is easy to see that there is a risk in patching a critical server; it is just as true that there is a risk in not patching a server. Because the risk of not patching a server increases over time, there is no case where the risk of patching will always override the risk of not patching.