Cybersecurity Awareness Month: Keep your software up to date

One of the recurring themes of Cybersecurity Awareness Month (CAM) is that software must be kept up to date. Operating systems, applications, firmware and utilities are all candidates for updates, and applying these updates in a timely manner is one of the most powerful defenses we have. Vulnerabilities are discovered frequently, often through bug bounty programs or internal testing. With diligence and a little luck, we can patch these security gaps before an attacker sneaks through.

Zero days and other things

Some vulnerabilities are only discovered after threat actors have attacked them. These are informally referred to as ‘zero-days’ because the vendor literally has zero days to fix the flaw before it is exploited. Upon discovery, vulnerabilities and mitigation instructions are publicly disclosed and tracked with unique identifiers and other data.

Not all software vulnerabilities represent the same amount of risk. This chart shows the severity of vulnerabilities published between 2001  and 2022:

Vendors usually deliver a security patch or other mitigation as soon as possible when a severe vulnerability is found.

Sometimes a vendor will choose to remove a piece of software rather than issue a patch. Microsoft addressed six zero-day vulnerabilities in the October 14, 2025, Microsoft updates, including one that had been bundled with the operating system since Windows Vista. This vulnerability is CVE-2025-24990 and stems from a driver that supports analog data and fax modems, which are legacy systems that are rarely used today. Rather than fixing the vulnerability, Microsoft issued an update to remove the driver. Users who rely on the driver will need to find a replacement after installing the October 14 update.

The updates addressed several other zero days involving operating system components like Remote Access Connection Manager (RasMan), Windows Server Update Services (WSUS), Entra ID components, and Bluetooth services. Microsoft operating system components are under intense scrutiny, but vulnerabilities are still being discovered and exploited. Even the latest updates can’t protect you from an undiscovered vulnerability.

Eternally blue

And then there are those updates that are issued but never installed. There are a few main reasons security updates do not get installed:

• Fear of disruption or downtime: IT teams may worry that installing updates will break systems and introduce new bugs. Because of this, some companies will wait until they’ve tested the updates on non-production systems. Sometimes users will just accept the risk of the vulnerability rather than install the updates.
• Limited awareness: Non-technical users may perceive updates as optional or unimportant. They dismiss update notifications, and they assume their antivirus or firewall will protect them. They simply don’t know how significant these updates can be.
• Inconvenience and administrative overhead: Updates can take time, require restarts, or demand administrative privileges — all of which users find inconvenient. Some systems are not configured for automated updates, or the updates may fail if disk space or other resources are low. IT teams may have a tiresome patch approval process in place. These issues can create significant security gaps throughout the network.

These unpatched systems can create huge problems. This was the case in 2017 when the ‘Wannacry’ ransomware campaign used the ‘EternalBlue’ exploit against Microsoft’s SMB protocol. Microsoft had released a security fix two months prior to this worldwide ransomware attack, but hundreds of thousands of affected machines remained unpatched. Despite the global and high-profile nature of the attack, there was no easy solution or quick fix. A SecureList article described the fallout:

Car maker Renault had to close its largest factory in France and hospitals in the UK had to turn away patients. German transport giant Deutsche Bahn, Spain’s Telefonica, the West Bengal power distribution company, FedEx, Hitachi and the Russian Interior Ministry were all hit, too. A month after the initial outbreak had been contained, WannaCry was still claiming victims, including Honda, which was forced to shut down one of its production facilities, and 55 speed cameras in Victoria, Australia.

Hundreds of thousands of computers were compromised through a vulnerability disclosed and patched two months prior. How much damage can be done to unpatched Windows 10 systems two months from now?

Windows 10 end of life

Microsoft released the last of the free Windows 10 updates on October 14. They gave us plenty of notice, and by now most business users will have either upgraded to Windows 11 or purchased extended updates for Windows 10. If you haven’t done this already, now is the time to act. You can opt into Extended Security Updates (ESU) for Windows 10 or upgrade to Windows 11. The ESU solution is available for three years, but that should be enough time to move to another operating system. Staying on an unsupported version of Windows 10 is a security risk that will continue to grow.

It's not all about Windows

While Windows 10 draws a lot of attention, attackers also go after other components that aren’t as visible to the user. These vulnerabilities can be more difficult to patch, especially if they are present in mission-critical devices. Threat actors love targets like this because victims are under more pressure to pay a ransom if these production devices are compromised.  

Strong patch management requires visibility across all software and hardware layers and prioritization of high-risk components. Upgrading to Windows 11 or purchasing ESU for Windows 10 can close some major attack vectors, but the defense doesn’t stop there. Firmware, applications, embedded systems, and mobile device operating systems must be part of your patch management program.