Patching

Software is made up of thousands of lines of code. Studies have found that in every 1000 lines of code there is on average 10-15 errors. Most of these errors are unnoticeable to the user, however, each error is a potential vulnerability. When vulnerabilities are discovered, reputable software developers release fixes as software updates to correct the known error, this is known as ‘patching’. Old and ‘unpatched’ software that has not been updated is therefore vulnerable to hackers and cyber criminals.

Cyber Essentials requires that all critical and high risk updates or updates with no details provided must be installed within 14 days of release by the vendor.

• • Some vendors use different terms to describe the severity of vulnerabilities. ‘Critical’ or ‘high risk’ can also be described as a CVSS v3 base score of 7 or above, which uses the Common Vulnerability Scoring System ( CVSS) to provide a numerical representation of the severity of software vulnerabilities.

When software is unsupported, the vendor will cease to create and send out patches. The age of software when it becomes unsupported varies significantly between vendor. 

At this point, the software is classed as ‘legacy’ or ‘end of life’ as it is no longer supported and therefore no longer secure to use. Not only are the vulnerabilities left un-patched, but they become public knowledge for security researchers and hackers alike who create programmes and services to make them easy to exploit, even for attackers with low levels of technical expertise.