Software updates can trigger a whole range of emotions in IT experts, from headaches caused by uncertainty about the consequences, to stress due to the urgent need to act, right through to relief when critical vulnerabilities are finally patched. The IT service provider Avision has taken a closer look at why updates actually have such a paradoxical effect and what possible best practices might look like.
Installing software updates is essential for IT security and is rightly regarded as the universal silver bullet. At the same time, however, it also represents a risk factor that should not be underestimated, one that can lead to new vulnerabilities. So what should be done? Because there is no alternative to most updates, companies should be fully aware of the pros and cons in order to achieve a robust level of protection through the best possible risk management. Upon closer inspection, the balancing act between risk and security naturally reveals a number of contradictions:
1. Updates close security gaps – and open new ones
Every update reduces a known risk and, at the same time, may introduce a new, unknown one. This is because any change to existing software, be it through new features, adjustments or bug fixes, can create unexpected side effects and new points of vulnerability. Security is not established once and for all by a new patch; it must be rebalanced with every update.
2. The more well-known the vulnerability, the greater the risk
If a vulnerability is discovered and a corresponding patch is released, that is good news at first. At the same time, however, a race against time begins. Attackers specifically analyse updates to derive exploits from them. Cases such as CrackArmor show just how narrow the window between release and attacks can be.
3. The most secure tools are often the riskiest
Security software requires extensive system privileges to perform its tasks. Unfortunately, it is precisely this fact that makes its updates particularly critical, as the example of Trivy has clearly demonstrated. Every patch alters not only an application, but potentially a highly sensitive access point within the system. If an update is installed incorrectly or even tampered with, the effect can spread immediately across the entire system.
4. Faulty updates can cause more damage than attacks
Whilst cyberattacks often specifically target individual systems, faulty updates can bring entire infrastructures to their knees simultaneously. The CrowdStrike incident in 2024 impressively demonstrated the impact a single faulty rollout can have on global IT systems. The difference: an attack exploits existing weaknesses, whilst a faulty update can destabilise various systems simultaneously. This creates a systemic risk that is difficult to predict and almost impossible to isolate.
So far, so contradictory. Nadine Riederer, CEO of Avision, puts these facts into perspective:
“Even if there is no ultimate solution to the general update paradox, companies can still derive some best practices from past incidents. These include, for example, safeguarding major updates with backups and the ability to quickly revert to a previous version in the event of an error.
It is equally sensible to check release notes and feedback from the community to identify known issues at an early stage, as well as to validate updates initially in secure test environments. However, a risk-based assessment is also crucial: critical systems should generally be updated quickly, whilst less exposed systems can, where appropriate, be monitored initially and updated in stages. In hindsight, such decisions are usually easy to assess, but in practice it remains a continuous balancing act between security, stability and availability.”
This press release is also available at www.pr-com.de/de/avision.
Press contact
Avision GmbH
Christina Karl
Marketing
Bajuwarenring 14
D-82041 Oberhaching
Phone +49-89-623037-967
christina.karl@avision-it.de
PR-COM GmbH
Melissa Gemmrich
Sendlinger-Tor-Platz 6
D-80336 München
Phone +49-89-59997-759
melissa.gemmrich@pr-com.de
