“Always install updates” is the most repeated piece of cybersecurity advice in mainstream coverage, and for most consumers most of the time, it’s correct. It also obscures a real and well-documented phenomenon: updates frequently introduce new bugs, break functionality, and occasionally create security regressions of their own. Treating every update as a strict improvement is a simplification that the people writing the advice know is inaccurate.
The honest version is more useful: updates are usually good, sometimes bad, and worth a brief moment of judgment.
The CrowdStrike example wasn’t an outlier
In July 2024, a faulty update from cybersecurity vendor CrowdStrike caused widespread Windows system failures globally, grounding flights, knocking out hospital systems, and disrupting financial services for hours to days. The cause was a defective channel file pushed automatically to endpoints. The update was the failure mode.
This wasn’t unique. Microsoft has periodically pulled Windows updates that caused boot loops, printer failures, and other regressions. Apple has pushed iOS releases that degraded battery life or broke specific apps. Linux distributions occasionally ship kernel updates that fail on certain hardware. Patch regressions are documented enough that enterprise IT has entire change-management processes designed around them.
Why “update immediately” advice exists anyway
The advice persists because, on aggregate, the security risk of being unpatched is greater than the operational risk of a bad update. Most exploited vulnerabilities have patches available โ sometimes for months or years โ before the attack hits. Equifax’s 2017 breach famously involved a known Apache Struts vulnerability that had been patchable for two months.
So the math, at the population level, favors patching. That doesn’t mean it favors every individual install of every update on every system. Mission-critical systems, machines used for live performances or trading, and devices on tight deadlines have different risk profiles than a general-purpose laptop. The advice flattens this distinction because nuance doesn’t fit on a poster.
A more useful update posture
For high-risk security patches โ actively exploited vulnerabilities, browser zero-days, identity-related fixes โ patch fast. Vendors flag these in their release notes; security trackers like CISA’s Known Exploited Vulnerabilities catalog list them publicly.
For ordinary feature updates, OS major-version upgrades, and driver pushes, waiting a few days to a couple weeks is reasonable. By then, any catastrophic bugs have surfaced in tech press, vendor forums, and bug trackers. The marginal security benefit of being on day-zero of a feature update is small. The risk of being the test case for a regression is non-trivial.
Backups, of course, sit underneath all of this. An update that goes wrong on a system with current backups is an inconvenience. Without backups, it’s a disaster.
The bottom line
“Always update” is good general advice that becomes better when you separate critical security patches from routine feature pushes. Treat the first like fire safety and the second like a software change worth a moment of attention. Vendors don’t always get it right, and pretending otherwise is how individuals and organizations get caught flat-footed when an update behaves badly.
Leave a Reply