On Patches

Patches. We have all seen them and I am sure we have at one time or another ignored one seemingly unimportant patch. Patches exist because programs are not perfect - it simply is not possible to write perfect code at the current level of complexity. There will be bugs, there will be inefficiencies and there will always be better ways of doing things.

Patches are avenues for programmers to fix mistakes, make things work better and add more functionality. Of all the reasons patches are released, security has got to be the most important in urgency. It takes only weeks from the time a vulnerability is announced till a virus/worm is created to exploit that security hole.

People cite many reasons not to patch and they are legitimate - patches do break certain programs. The patches might tighten the behavior of certain routines thereby rendering a previous shortcut unworkable. The disruption to work can be so immense that it might be more worthwhile taking the risk of not patching. Patches can also be difficult for system administrators to administer in a huge corporate network.

However, I do think that for the majority of us home users, it is a lack of appreciation of the importance of patches that hinder their prompt installation. I bet that when the patches are for improved performance or the addition of functionalities, home users will be far more willing to install them. The unpopularity of security patches arises from the fact that security is a background technicality that has been pushed into the face of users. Users do not want to (nor should they) be burdened with security concerns when their principal goal is productive work. Thankfully, Programmers understand this and have made patching as transparent as possible to the user.

Today, most self update routines can be scheduled to run automatically or to search for updates every time the computer goes online. It is fast becoming the case when users need only click "yes" to install the patch. Ironically, this too is a potential problem. It has been recognized that users in general do not comprehend the system messages that are pushed to them. However, they do realize that clicking the "yes" icon is an adequate response in most situations. I dread the day malicious agents succeed in spoofing the auto-update program.