Security Experts:

Connect with us

Hi, what are you looking for?



Auto-Patching: More or Less Risky?

Is the probability of an Automated Patch Breaking a System Worse Than the Increased Risk of Getting Hacked?

Is the probability of an Automated Patch Breaking a System Worse Than the Increased Risk of Getting Hacked?

Many organizations take a manual approach to vulnerability management. Instead of relying on automated systems, IT practitioners test and validate new patches prior to deploying them in production environments. However, in today’s dynamic threat landscape there are thousands, if not hundreds of thousands, of vulnerabilities discovered in typical organizations.

The manual approach is becoming unsustainable. This is why more systems, including the new Windows 10 operating system, are switching to hands-free, automated updates. Is automatic patching less risky than waiting for a patch to be tested and validated internally?

Automated PatchingAccording to the 2015 Verizon Data Breach Report, 99.9 percent of exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) was published. More strikingly, over 70 percent of attacks exploited known vulnerabilities with available patches. This paints a dire picture for the existing manual testing approach to vulnerability management. Not surprisingly, at the recent RSA Conference in San Francisco, one of the discussion points on the show floor was the need for automation and orchestration, which entails solutions that help organizations leverage what they already have.

Security and IT practitioners alike are trying to minimize exposure to vulnerabilities, and are consequently considering auto-patching as an approach that could assist in achieving a more streamlined vulnerability management process. However, when Lenovo recently admitted that its system update program had critical security flaws, fears resurfaced about whether automatic system updates provide enough security. Another inhibitor is the fact that software vendors often are not transparent about what a patch will do. For instance, Windows 10 now provides far less detail on patches compared with prior versions. Often security updates are bundled with other updates that can just as easily break code. Many organizations don’t allow automatic updates because they have thousands of applications, many of which are custom-built, that a bad patch can crash.

Organizations must decide whether the probability of an automated patch breaking a user’s system is worse than the likelihood of getting hacked. With differing risk perceptions and tolerance levels, the decision must be made by each organization.

While there are risks associated with automatic update systems, including updates being hijacked by malware, as was the case with a fake Firefox update, the benefits far exceed the risks.

Organizations just need to apply special care to the implementation of the auto-patching process to minimize any shortcomings. This includes ensuring that the delivery process itself is stable and doesn’t corrupt the updated files; that it is conducted in a secure manner, meaning protected by digital signatures and encrypted; and that it follows proper cyber hygiene, which means that the patch has been validated for authenticity and quality before it is applied.

If organizations are not convinced that automation is the holy grail in tackling today’s dynamic threat landscape, they can at least enhance their existing vulnerability management practices by contextualizing detected vulnerabilities with external threat data and the risk associated with them. This will allow organizations to better align remediation resources and shorten time-to-remediation. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software flaw.

The most recent RSA Conference showcased new technologies that take a pro-active approach to vulnerability and threat management, that aggregate multiple threat intelligence feeds, and more importantly correlate external and internal security data with its business criticality or risk to the organization. This allows for increased operational efficiency and faster time-to-remediation without requiring expensive consulting services or taking the perceived risk of auto-patching and therefore offers a valid compromise.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet