Royal Army College

Lesson Overview

Of all the cyber-hygiene habits, the one that protects the most for the least effort is also the one most often neglected: keeping software updated. Every device runs software, the operating system, the apps, the browser, and that software contains flaws, some of them security flaws that attackers can exploit; the makers fix these flaws and release the fixes as updates (or patches), and a device that installs them promptly is protected against those flaws, while one that does not remains open to attacks the rest of the world already knows how to make. This lesson is about that plain, powerful discipline: why updates matter so much, why out-of-date software is dangerous, and the simple habits, above all letting updates install promptly, that keep a device current and far safer than it would otherwise be. It costs almost nothing and prevents a great deal, which makes it among the best-value security habits a member can keep.

The governing idea is that a security update is a fix for a known way in, and not installing it leaves that way in open. When a maker releases a security update, they are, in effect, announcing that a flaw existed and has now been fixed, which means attackers learn of the flaw too and target the devices that have not yet patched it. So an unpatched device is not merely "a bit behind"; it is carrying a known, published hole that attackers are actively looking to exploit, and the longer it goes unpatched, the more exposed it is. Updating promptly closes these holes as fast as they are found, keeping the device current with the defences; delaying or refusing updates leaves it defending against today's attacks with yesterday's holes still open. The member who understands this treats updates not as an annoying interruption but as one of the most important things they can do for their security, and lets them happen.

This is the knowledge layer of keeping software current; the protection comes from actually keeping it, by letting updates install. It rests on the recognised cyber-hygiene foundations, where prompt patching is consistently among the most effective basic controls, and it is wholly defensive. Read this to know why updates matter; the safety comes from installing them.

By the end you will be able to explain why software has flaws and what updates fix, why out-of-date software is dangerous, the value of prompt and automatic updating, how to keep all your software current including the often-forgotten parts, and the special risk of end-of-life software.

Key Terms

Update (patch): a fix released by a software maker to correct flaws in their software, including the security flaws that attackers exploit.
Vulnerability: a flaw in software that can be exploited to attack a device or system; what a security update is released to fix.
Exploit: an attack that takes advantage of a vulnerability; once a flaw is public, exploits for it spread quickly.
Patching: the act of installing updates to fix vulnerabilities, the single most effective basic security control for the effort it takes.
Automatic updates: the setting that lets a device install updates by itself, the simplest way to stay current, removing reliance on memory.
Operating system (OS): the core software a device runs on (such as the system on a phone or computer), whose updates are among the most important.
End-of-life (EOL) software: software the maker no longer supports or updates, which therefore stops receiving security fixes and grows steadily more dangerous.
Attack surface: the sum of software on a device that could be attacked; unused software is removed to shrink it.
Zero-day: a vulnerability not yet known to the maker or fixed, against which updating cannot yet protect, which is rare and is not a reason to neglect ordinary patching.
Prompt updating: the habit of installing updates soon after they are released, before attackers exploit the now-public flaw they fix.

Why software has flaws, and what updates fix

To see why updating matters, it helps to accept a plain fact: all software has flaws. Software is enormously complex, written by people, and no program of any size is free of mistakes; some of those mistakes are vulnerabilities, flaws that an attacker can exploit to get into a device or system. This is not a sign of bad software or careless makers; it is the nature of software, and it means every device is running programs that contain, at any time, some number of undiscovered or unfixed flaws. The question is never whether software has vulnerabilities, it does, but whether the known ones get fixed promptly on your device, which is exactly what updating decides.

When a maker discovers or is told of a vulnerability, they fix it and release the fix as an update or patch, and this is the mechanism by which the known holes in software get closed. A security update is, specifically, a fix for one or more vulnerabilities, so installing it removes those ways in from your device. The makers of operating systems, browsers, and apps release such updates regularly, because flaws are continually found, and a device that installs them promptly is continually having its known holes closed, staying roughly current with the defences. The update is the delivery mechanism for security itself, which is why letting updates install is so directly a security act.

The crucial and slightly counter-intuitive point is what the release of a security update means for everyone who has not installed it. When a fix is published, the existence of the flaw becomes known, including to attackers, who can then build exploits for it and target the devices that have not yet patched. So a published security update is, paradoxically, also a map to a hole in every unpatched device, and exploits for newly-public flaws spread quickly. This is why prompt updating matters and not just eventual updating: in the window between a fix being released and your installing it, you are running a now-publicly-known vulnerability that attackers are actively seeking, so the sooner you patch, the shorter your exposure. Updating is a race against the attackers who learn of each flaw the moment its fix is announced, and prompt patching is how you stay ahead.

Why out-of-date software is dangerous

It follows that out-of-date software is dangerous, and dangerous in a specific, often underestimated way: it carries known, published holes that the wider world, including attackers, already knows how to exploit. People tend to think of an old version as merely lacking the latest features, a matter of convenience, when in security terms an unpatched device is carrying open doors whose locations are public. The danger is not hypothetical or rare; exploiting unpatched known vulnerabilities is one of the commonest ways devices and organisations are actually compromised, precisely because so many people delay or neglect updates, leaving a large population of devices with the same well-known holes for attackers to walk through.

This reframes the everyday choice to "remind me later" on an update. Each deferral is not a neutral postponement of an improvement; it is a decision to keep running a known vulnerability a little longer, to leave the published hole open, which is a real and growing risk the longer it continues. A member who routinely puts off updates is not merely behind; they are accumulating known, exploitable holes on a device that connects to the Principality's systems, which is a risk to the whole. Seen rightly, the update prompt is not an interruption to dismiss but a security fix waiting to be applied, and dismissing it is choosing to stay exposed.

The danger grows over time, too, because the longer software goes unpatched, the more known vulnerabilities accumulate against it, until an old, neglected device is riddled with public holes. And it is worst of all for end-of-life software, treated below, which stops receiving fixes entirely and so can only grow more dangerous. The lesson is plain: out-of-date software is not a minor untidiness but a real and compounding security risk, and the member who keeps their software current is closing, continually, the commonest avenue by which devices are actually attacked.

Keeping current: automatic updates and the forgotten parts

The good news is that keeping software current is easy and low-effort, which is what makes it the best-value security habit there is. The single most effective measure is to turn on automatic updates wherever they are offered, so the device installs updates by itself, promptly, without relying on the member to remember. Automatic updating removes the main reason devices go unpatched, which is simply that people forget or defer, and it ensures the device stays current as a matter of course; for most members on most devices, enabling automatic updates is the largest single improvement they can make to their security for the least effort. Where updates are not automatic, the habit is to install them promptly when prompted, treating the update prompt as a fix to apply soon, not an interruption to dismiss.

A common gap is forgetting that everything runs software, not just the obvious operating system. Members reliably update their phone's main system but forget the apps on it, the browser (the most exposed program of all, as the browsing lesson stressed), the other devices (the home router, the smart devices, the second computer), and any software that updates separately. Each of these contains vulnerabilities and needs its updates too, and an attacker only needs one unpatched program, so keeping current means keeping all of it current, not just the main system. The member casts the net wide: the operating system, the browser, the apps, the connected devices, all kept updated, because a single neglected program can be the way in.

Two further habits help. Removing software you do not use shrinks the attack surface, because every program installed is something that could have a vulnerability, so uninstalling the apps and programs you no longer need removes their potential holes entirely, a fix better than patching. And being alert to genuine update prompts versus fake ones matters, because attackers sometimes disguise malware as a fake "update" pop-up, so the member installs updates through the device's and the software's genuine update mechanisms, not by clicking an unexpected pop-up claiming an update is needed, which ties back to the safe-browsing scepticism of Lesson 06. Keeping current, then, is mostly: turn on automatic updates, install prompts promptly, update everything not just the obvious, remove what you do not use, and update only through genuine mechanisms.

   KEEPING SOFTWARE CURRENT  (best value security habit there is)

   AUTOMATIC UPDATES   turn them ON wherever offered -> the device patches
                       itself, promptly, no reliance on memory
                       ......... the single biggest improvement for least effort
   UPDATE EVERYTHING   not just the main OS: the APPS, the BROWSER (most
                       exposed), other devices (router, smart devices) too
                       ......... an attacker needs only ONE unpatched program
   REMOVE THE UNUSED   uninstall software you don't use -> shrinks the
                       attack surface (better than patching it)
   GENUINE PROMPTS     update via the device's/software's REAL mechanisms,
                       not an unexpected pop-up (fake "updates" carry malware)

   An update prompt is a SECURITY FIX waiting to be applied, not an
   interruption to dismiss.

End-of-life software and the limits

A particular danger every member should recognise is end-of-life (EOL) software: software the maker has stopped supporting and updating, which therefore no longer receives security fixes. When software reaches end of life, the makers stop patching its vulnerabilities, so from that point on, every new flaw found in it stays open forever, and the software grows steadily and unstoppably more dangerous as known, unfixable holes accumulate. An old operating system, an unsupported app, an abandoned device, may keep working, which lulls people into continuing to use it, but in security terms it is a liability that can only worsen, because the one thing that kept it safe, the flow of fixes, has stopped. The discipline is to replace or stop using end-of-life software, moving to a supported version that still receives updates, rather than continuing on something that can no longer be made safe. For an individual this means not clinging to an old, unsupported phone or system; for the Principality's systems it is a matter for those who run them, but the member's part is to recognise that "it still works" is not "it is still safe."

A brief, honest word on the limits of updating, lest it be misunderstood as a complete defence. Updating protects against known vulnerabilities, the ones a fix exists for, which is the great majority of the real-world threat. It cannot protect against a zero-day, a vulnerability not yet known to the maker and so not yet fixed, because there is no patch to install; but zero-days are relatively rare and are mostly used against high-value targets, and, crucially, the existence of zero-days is not a reason to neglect ordinary patching, because the overwhelming majority of actual attacks exploit known, patchable flaws on unpatched devices, not exotic zero-days. The member who patches promptly defends against the threat that actually accounts for most compromises; worrying about zero-days while neglecting ordinary updates would be guarding against the rare while leaving the common wide open. Updating is not a complete defence by itself, which is why it sits among the other habits of this course, but it is one of the most effective, and its limits are no excuse for neglecting it.

In Practice: The Device That Stayed Closed

Two members of the Royal Kaharagian Army carry similar devices, and the difference in their security comes down largely to a single habit: whether they keep their software current. One treats update prompts as interruptions to dismiss and clings to old software because "it still works"; the other has made keeping current an effortless habit. When a vulnerability in a widely-used program becomes public, the difference tells.

The careless member has been deferring updates for weeks, dismissing the prompts, and is running several programs with known, published holes; they have also kept an old, end-of-life app that no longer receives fixes at all. When the new vulnerability is published, with its fix, attackers begin exploiting it against unpatched devices within days, and the careless member's device, carrying that now-public hole among others, is exposed to an attack the rest of the world already knows how to make. Their device is a collection of open doors whose locations are public, and it connects to the Principality's systems.

The disciplined member did one simple thing: they turned on automatic updates everywhere they could, so their operating system, browser, and apps patch themselves promptly, and they install promptly the few prompts that are not automatic. They keep all of it current, not just the main system but the browser and the connected devices, and they have removed the apps they no longer use and replaced the end-of-life software with a supported version. So when the vulnerability is published, their device already has, or very soon automatically installs, the fix, and the attack that catches the careless member finds no open door on theirs. They also ignore an unexpected pop-up claiming an "update" is needed, installing only through genuine mechanisms, because they know fake updates carry malware. The disciplined member spent almost no effort, automatic updates do the work, and gained one of the strongest everyday protections there is, while the careless one, by treating updates as a nuisance, left the commonest avenue of attack wide open. Keeping software current is the best-value security habit there is, and this is why.

Check Your Understanding

Explain why all software has flaws, what a security update (patch) fixes, and the counter-intuitive point that a published security update is also a "map to a hole" in every unpatched device. Why does this make prompt updating matter, not just eventual updating?
Explain why out-of-date software is dangerous in a specific way (carrying known, published holes attackers already know how to exploit), and why deferring an update is "choosing to stay exposed" rather than a neutral postponement.
Describe how to keep software current with least effort (automatic updates, prompt installation, updating everything not just the OS, removing unused software, using genuine update mechanisms), the danger of end-of-life software, and why the existence of zero-days is not a reason to neglect ordinary patching.

Reflection (write a short paragraph): This lesson argues that keeping software updated is the habit that protects the most for the least effort, yet it is among the most neglected, because people see update prompts as interruptions rather than as security fixes waiting to be applied. Be honest about how you treat update prompts on your own devices: do you install them promptly, or defer them, and do you remember to update the apps, the browser, and other devices, not just the main system? Why is the simple choice to turn on automatic updates such a large security improvement for so little effort, and what makes people resist it?

Summary

All software has flaws, some of them vulnerabilities attackers can exploit; makers fix them and release the fixes as updates (patches). Installing a security update removes those ways in. Because a published fix also makes the flaw known to attackers, who quickly build exploits, prompt updating matters: the window before you patch is time spent running a publicly-known hole.
Out-of-date software is dangerous in a specific way, it carries known, published holes the world already knows how to exploit, and exploiting unpatched known flaws is one of the commonest ways devices are actually compromised. Deferring an update is choosing to stay exposed, and the risk compounds the longer it continues.
Keep current with least effort: turn on automatic updates (the biggest improvement for the least effort), install prompts promptly, update everything (OS, browser, apps, and other devices, an attacker needs only one unpatched program), remove unused software (shrinking the attack surface), and update only through genuine mechanisms (fake "update" pop-ups carry malware).
End-of-life software no longer receives fixes and so can only grow more dangerous; replace or stop using it, because "it still works" is not "it is still safe." Updating protects against known flaws (the great majority of real attacks); it cannot stop a zero-day, but zero-days are rare and are no excuse to neglect ordinary patching, which defends against the threat that actually accounts for most compromises.
This is the knowledge layer; the protection comes from actually keeping software current, above all by enabling automatic updates. The lesson underpins the safe browsing of Lesson 06 (the updated browser) and the malware defence of Lesson 07 (patched flaws cannot be exploited), supports the device security of Lesson 04, and is one of the highest-value basic controls in the whole course. Everything here is defensive and lawful.

Updates, Patching, and Keeping Software Current