The patch race

A little box pops up: “Update available. Install now or remind me later?” You click “later.” The program still works, nothing breaks, life goes on. It feels like the safest, laziest possible choice. It is one of the riskiest. The moment a security fix is published, something quiet and dangerous happens in the background — and “remind me later” leaves you standing in front of it. To see why, you have to understand what a patch actually announces to the world.

A patch is a fix — and a map to the hole

Software has flaws. When someone finds a security flaw, the maker writes a patch — an update that closes it — and releases it to everyone.

Here is the twist almost nobody notices. A security update doesn’t just quietly fix the hole. It announces it. To ship the fix, the maker effectively says: “This older version had a weakness, right here, and this is the change that seals it.” Attackers read updates closely. They compare the old version with the new one, find the exact spot that changed, and work backwards to the flaw the change was hiding. The patch becomes a treasure map to the very weakness it fixes.

So the published fix cuts both ways. For everyone who installs it, the hole is shut. For everyone who hasn’t, the hole is now public knowledge — and a crowd of attackers knows precisely where to push.

The exposure window

This sets up the idea that runs the whole item: the exposure window — the gap between “a patch is available” and “you’ve installed it.”

Before a fix exists, a flaw is dangerous but obscure; few people know it’s there. The most dangerous time is after the fix exists but before you apply it, because now the weakness is advertised and you’re still running the old, open version. Every day you wait is a day you stand in front of a door everyone has been handed a map to.

And attackers move fast. Within a few days of a patch, they’ve reverse-engineered it and begun scanning huge swaths of the internet, machine by machine, asking a simple question: are you still running the old version? Anyone who answers yes gets attacked. The scanning is automatic and tireless; it doesn’t need to target you, it just sweeps everything.

Zero-days are rare; known holes do the damage

People picture hacking as mysterious “zero-day” attacks — a zero-day being a flaw the attacker knows about before any patch exists, with no fix to install. They’re real, but they’re rare, expensive, and usually saved for high-value targets.

The everyday reality is the opposite and far more boring. Most breaches use known holes — flaws that were patched long ago — against people who simply hadn’t updated. The fix existed, often for months. The door had a lock sitting right there in an update box, ignored. So the dull habit of installing updates promptly closes the large majority of the doors attackers actually walk through. Recall the layers from the last item: updating is one of the cheapest, highest-value layers you own.

A worked example: two offices, one patch

Two offices run the same program. One morning — call it Day 0 — a flaw is disclosed and the maker ships a patch the same day. Both offices get the same update notice.

Office A installs it that night. Exposed time: about one day, and that day falls before attackers have even finished building their scans. When the mass-scanning ramps up a few days later, Office A is already patched. The scanner knocks, gets the new version, moves on. Safe.

Office B is busy. Someone clicks “remind me later,” and it slips for a month. Around Day 4, attackers begin scanning the internet for the old version. Office B’s machine answers: still here, still open. It’s breached around Day 9 — barely a week in, even though the delay was meant to be thirty days. The intended “I’ll get to it next month” never mattered; the first week of the open window was enough.

Same program. Same patch, available to both on the same morning. The only difference between safe and breached was the race to install it. Office A won the race in a single evening. Office B lost it without ever deciding to — by clicking “later” one time too many.

On the whole

Security isn’t only walls you build once. It’s upkeep, and upkeep is about timing. A defence that was perfect yesterday has a known hole today and a published map to it tomorrow; staying safe means staying current. The unglamorous update nag is the system handing you a fresh lock and asking you to fit it before the crowd outside finishes copying the key.

You are inside this race whether you notice it or not. Every device you own is running software with holes not yet found and holes already fixed-if-you-update. You can’t close the unknown ones — but the known ones are yours to shut, cheaply, with a click you keep putting off. The humble move is to stop treating “update later” as the safe choice. More often than not, it is the open door.