Software updates are essential for keeping systems running and patching known vulnerabilities, so how can they lead to cyberattacks? Surprisingly, there are several ways attackers, insider threats, or even end users can turn an innocuous fix into a cyber threat. What are the risks of updating? More importantly, how can people protect their data and devices?

When Do Software Updates Become Security Risks?

Sometimes, releases introduce new features, mechanics, or integrations. Even if the developers thoroughly review thousands of lines of code for potential weaknesses, they’re bound to overlook some. Attackers can exploit these zero-day vulnerabilities soon after the patch goes live, giving them time to target end users while team members scramble for a fix.

An incomplete fix has a similar outcome. Most people are enthusiastic about reading patch notes, so they don’t realize there might be a few weaknesses that have yet to be addressed. Their false sense of security makes them vulnerable to threats — especially because attackers can read the changelog to determine what to exploit.

Faulty releases are rare but do happen. They may brick a system or expose sensitive information, giving attackers an in. Cyberattacks occur when individuals place too much trust in developers and get lax about their security measures. In the United States, 92% of companies have experienced a cybersecurity incident because of a third-party vendor.

Hijacked upgrades are relatively uncommon but can happen. An attacker could take over the original equipment manufacturers’ device management system or covertly add a malicious script to the code. In that case, they could directly inject malware into the device of anyone who updates their program.

In March, a software engineer at Microsoft discovered someone had hijacked a source code update for xz Utils — an open-source data compressor used extensively throughout the Linux ecosystem — to create a backdoor in the operating system. The culprit was Jia Tan, a lone developer who gained trust by contributing helpful code before injecting malware.

This attack was “frightfully close” to succeeding. If it had, it would’ve been catastrophic, impacting Linux systems worldwide. Over-the-air programming — patches delivered to devices over a wireless network — is notorious for being vulnerable to these cybersecurity incidents because they are installed automatically over the internet.

Why Does Updating Software Lead to Cyberattacks?

More often than not, user error is to blame for cyberattacks. Phishing emails can be disguised as software updates, tricking unsuspecting people into installing malware instead of bringing their applications up to date. Pop-up messages are another common attack vector. They claim the person uses an outdated version or can benefit from upgrading.

Particularly malicious pop-ups have no cancel button, instead displaying options like “install now” and “install overnight,” which trick users into thinking they have no choice but to accept. These fake releases inject spyware or malware, compromising the target device. Since the victim expects something to be installed, they may not even realize their mistake initially.

Researchers recently discovered spyware disguised as an Android app that uses this strategy. This remote access trojan sends a push notification that looks like a system update. If users accept it, it steals their location data, image files, call logs, and contact lists. It also eavesdrops using the phone’s microphone and spies using the camera.

Even if the upgrade is legitimate, problems can still occur. User errors like misintegrations, disabled security features, and misconfigured settings can introduce unknown vulnerabilities. Bad actors like to strike soon after fixes go live because they get an opening when people make such mistakes.

A live environment differs significantly from controlled testing, so unexpected exploits are inevitable. Compatibility issues are a common driver for these cyberthreats. Even if no zero-day vulnerabilities exist, bad actors can take advantage of user error to infiltrate networks and attack systems.

The Consequences of Installing Malicious Updates

Malware injection is the most common consequence of a rushed, incomplete, faulty or unofficial patch. Bad actors can install ransomware, keyloggers, viruses, or spyware. This lets them brick victims’ devices in exchange for ransoms or monitor activity to collect sensitive data. If they attack a company, they can exfiltrate proprietary and personally identifiable information.

Financial losses are common in these situations. The average data breach cost in the United States totaled a record high of $9.48 million in 2023, up from $9.44 million in 2022. Individuals pay less since hackers know they have less liquidity and fewer devices to compromise. However, they still spend hundreds or even thousands of dollars on recovery.

While people are in the incident response and recovery process, attackers can steal sensitive data, making them vulnerable to identity theft, phishing, and follow-up cyberattacks. Moreover, they’ll likely have to shut down whatever program or system is causing the cyberattack, forcing unexpected downtime or delays.

Why Users Must Update Anyway Despite the Risk

Researchers spent nearly two decades building the largest dataset on user updates ever made by tracking over 150,000 medium and large-sized companies’ server software changes. They discovered that 57% of these organizations used code with severe vulnerabilities even when secure versions were available.

Knowing how easily a simple fix can become a vector for cyberattacks will prevent some people from updating. However,  this course of action is worse than the alternative. Patches address known vulnerabilities that hackers are actively looking to exploit. They also secure integrations by bringing compatibility, processing, and features up to date.

Although releases can introduce weaknesses or outright compromise a device, rejecting them has worse cybersecurity implications. Individuals who use outdated versions are more likely to be targeted by cybercriminals, resulting in more frequent and sophisticated attacks — which have a much higher chance of succeeding.

People shouldn’t assume they’re safe just because a patch is supposed to protect them. The reality of the digital age is that no matter what protections are in place, someone will eventually find a loophole or a weakness to exploit. It sounds grim but should be reassuring — it means software is just like any other asset. More often than not, vigilance is one of the best defenses.

How to Protect Data and Devices

Since ignoring software updates isn’t an option, individuals should follow best practices and use every relevant security tool at their disposal.

1. Turn off Automatic Updates

Over-the-air and automatic updates give attackers an advantage. People should turn them off and bring their systems up to date as developers make fixes available. They should also verify the server’s identity and ensure their connection is encrypted before proceeding.

2. Review Patch Notes

End users should consistently review the patch notes, changelogs, and code to identify potentially malicious tampering. This approach also lets them see which exploits were addressed and which weren’t, eliminating any false sense of security.

3. Use Secure-by-Default Configurations

The Cybersecurity and Information Security Agency recommends using secure-by-default configurations to improve cybersecurity posture. This includes using identity authentication measures and changing default passwords to something strong.

4. Use Multiple Security Tools

Patching doesn’t fix every security weakness. As the saying goes, for every vulnerability developers find, another five exist. Device owners should install firewalls, network monitoring, multifactor authentication, and virtual private networks to safeguard their data.

5. Update From the Source

Distrusting by default is becoming a prevalent cybersecurity practice. People should automatically assume any message directing them to visit a website or click on a link is phishing. They should go directly to the official source for information or installs.

Remain Vigilant to Safeguard Software and Data

Cybercriminals are cunning and sneaky, so they’ll keep inventing new ways to hijack, tamper with, or poison patches. The best course of action is to remain vigilant and cautious. Following best practices, leveraging robust security tools, and reading changelogs could mean the difference between becoming a cyberattack victim and staying safe.