Software update

From HandWiki
Short description: Process of changing installed software to be more modern
This article is about software update in general. For the discontinued macOS component, see Apple Software Update.

Software update is the process of changing installed software with the intent to make it more modern. It also refers to the stored data used to update software. When storage was significantly more expensive, patching files was the dominant form of update. With the advent of larger distribution storage media and higher Internet bandwidth, it became common to replace entire files instead of patching.

An update may require prior application of other updates, or may require prior or concurrent updates to multiple components. To facilitate updates, operating systems often provide automatic or semi-automatic updating facilities. Package management systems offer update automation.

An update can be any size. An update can be relatively large when the changes add or replace data such as graphics and sound files; for example for a game update. An update usually takes less time to run than an initial installation of the software.

Although often intended to upgrade, an update may instead degrade. An update may include unintentional regression problems. In some cases, an update intentionally disables functionality, for instance, by removing aspects for which the consumer is no longer licensed.

Management

A Sparkle software update prompt on macOS


Software update systems allow for updates to be managed by users and software developers. In the 2017 Petya cyberpandemic, the financial software "MeDoc"'s update system is said to have been compromised to spread malware via its updates.[1][2] On the Tor Blog, cybersecurity expert Mike Perry states that deterministic, distributed builds are likely the only way to defend against malware that attacks the software development and build processes to infect millions of machines in a single, officially signed, instantaneous update.[3] Update managers also allow for security updates to be applied quickly and widely. Update managers of Linux such as Synaptic allow users to update all software installed on their machine. Applications like Synaptic use cryptographic checksums to verify source/local files before they are applied to ensure fidelity against malware.[4][5]

Automatic updating has become more widespread over time. Some cite a cause of its prevalence to be due to Windows support in early 2000s. Service Pack 2 of Windows XP (available in 2004) enabled it by default.

Classification

Updates are classified many ways. Notable classifications in alphabetical order follow.

Hotfix

This section is an excerpt from Hotfix[ edit ]

A hotfix or quick-fix engineering update (QFE update) is a single, cumulative package that includes information (often in the form of one or more files) that is used to address a problem in a software product (i.e., a software bug).[6] Typically, hotfixes are made to address a specific customer situation.

The term "hotfix" originally referred to software patches that were applied to "hot" systems: those which are live, currently running, and in production status rather than development status. For the developer, a hotfix implies that the change may have been made quickly and outside normal development and testing processes. This could increase the cost of the fix by requiring rapid development, overtime or other urgent measures. For the user, the hotfix could be considered riskier or less likely to resolve the problem. This could cause an immediate loss of services, so depending on the severity of the bug, it may be desirable to delay a hotfix. The risk of applying the hotfix must be weighed against the risk of not applying it, because the problem to be fixed might be so critical that it could be considered more important than a potential loss of service (e.g., a major security breach).

Similar use of the terms can be seen in hot-swappable disk drives. The more recent usage of the term is likely due to software vendors making a distinction between a hotfix and a patch.

Malicious update

Some hacker may compromise legitimate software update channel and inject malicious code.[7]

Patch

This section is an excerpt from Patch (computing)[ edit ]

A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it.[8] This includes fixing security vulnerabilities[8] and other bugs, with such patches usually being called bugfixes or bug fixes.[9] Patches are often written to improve the functionality, usability, or performance of a program. The majority of patches are provided by software vendors for operating system and application updates.

Patches may be installed either under programmed control or by a human programmer using an editing tool or a debugger. They may be applied to program files on a storage device, or in computer memory. Patches may be permanent (until patched again) or temporary.

Patching makes possible the modification of compiled and machine language object programs when the source code is unavailable. This demands a thorough understanding of the inner workings of the object code by the person creating the patch, which is difficult without close study of the source code. Someone unfamiliar with the program being patched may install a patch using a patch utility created by another person who is the Admin. Even when the source code is available, patching makes possible the installation of small changes to the object program without the need to recompile or reassemble. For minor changes to software, it is often easier and more economical to distribute patches to users rather than redistributing a newly recompiled or reassembled program.

Although meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions). In some special cases updates may knowingly break the functionality or disable a device, for instance, by removing components for which the update provider is no longer licensed.

Patch management is a part of lifecycle management, and is the process of using a strategy and plan of what patches should be applied to which systems at a specified time.

Patch release

This section is an excerpt from Patch release[ edit ]
A software versioning diagram
Point releases are the off-white boxes in the diagram.
A patch release (often colloquially also known as a point release, dot release, or bugfix release) is a software release of a product or other project, especially one intended to fix bugs or do small cleanups rather than add significant features. Often, there are too many bugs to be fixed in a single major or minor release, creating a need for a point release.

Program temporary fix

This section is an excerpt from Program temporary fix[ edit ]

In IBM terminology, a program temporary fix or product temporary fix (PTF), sometimes depending on date,[10][11] is a one or more bug fixes – distributed in a form ready to install.

A PTF normally follows an Authorized Program Analysis Report (APAR),[12] and where an "APAR fix" was issued, the PTF "is a tested APAR"[13] or set of APAR fixes. However, if an APAR is resolved as "Fixed If Next" or "Permanent Restriction" then there may be no PTF fixing it, only a subsequent release.

Security patch

A security patch is a change to correct the weakness described by a vulnerability. The corrective action prevents successful exploitation and removes or mitigates a threat's capability to exploit a specific vulnerability. Patch management is a part of vulnerability management – the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.

Security patches are the primary method of fixing security vulnerabilities in software. Currently Microsoft releases its security patches once a month ("patch Tuesday"), and other operating systems and software projects have security teams dedicated to releasing the most reliable software patches as soon after a vulnerability announcement as possible. Security patches are closely tied to responsible disclosure.

These security patches are critical to ensure that business process does not get affected. In 2017, companies were struck by a ransomware called WannaCry which encrypts files in certain versions of Microsoft Windows and demands a ransom via BitCoin. In response to this, Microsoft released a patch which stops the ransomware from running.

Service pack

This section is an excerpt from Service pack[ edit ]
Windows XP SP2 installation disc.

In computing, a service pack comprises a collection of updates, fixes, or enhancements to a software program delivered in the form of a single installable package. Companies often release a service pack when the number of individual patches to a given program reaches a certain (arbitrary) limit, or the software release has shown to be stabilized with a limited number of remaining issues based on users' feedback and bug reports. In large software applications such as office suites, operating systems, database software, or network management, it is not uncommon to have a service pack issued within the first year or two of a product's release. Installing a service pack is easier and less error-prone than installing many individual patches, even more so when updating multiple computers over a network, where service packs are common.

Service packs are usually numbered, and thus shortly referred to as SP1, SP2, SP3 etc.[14] They may also bring, besides bug fixes,[15] entirely new features, as is the case of SP2 of Windows XP (e.g. Windows Security Center), or SP3 and SP4 of the heavily database dependent Trainz 2009: World Builder Edition.[16]

Unofficial patch

This section is an excerpt from Unofficial patch[ edit ]
An unofficial patch is a patch for a piece of software, created by a third party such as a user community without the involvement of the original developer. Similar to an ordinary patch, it alleviates bugs or shortcomings. Unofficial patches do not usually change the intended usage of the software, in contrast to other third-party software adaptions such as mods or cracks.

Video game patch

A video game receives an update (often called a patch) to fix problems and to change features such as change game rules and algorithms. These updates may be prompted by the discovery of exploits in the multiplayer game experience that can be used to gain unfair advantages over other players. Extra features and gameplay tweaks can often be added. These kinds of updates are common in first-person shooters with multiplayer capability, and in MMORPGs, which are typically very complex with large amounts of content, almost always rely heavily on updates following the initial release, where updates sometimes add new content and abilities available to players. Because the balance and fairness for all players of an MMORPG can be severely corrupted within a short amount of time by an exploit, servers of an MMORPG are sometimes taken down with short notice to apply a critical fix.

Companies sometimes release games knowing that they have bugs. Computer Gaming World's Scorpia in 1994 denounced "companies—too numerous to mention—who release shoddy product knowing they can get by with patches and upgrades, and who make 'pay-testers of their customers".[17]

Process

Software update processes vary dramatically. Some notable processes are described here.

Firmware update

Updating firmware (i.e. motherboard BIOS) can be challenging when it involves replacing the entire image on the hardware. As such, an error or interruption during the update process, such as loss of power, may render the hardware unusable.

An update, a binary image, is often installed via a supplier-provided program that overwrite the existing image with another. This program may safeguard against serious damage. For example, the update procedure could make and keep a backup of the firmware in case it determines that the primary copy is corrupt (i.e. via a checksum).

Limited release

In the cases of large updates or of significant changes, distributors often limit availability of updates to qualified developers as a beta test.

Hot patching

Hot patching, also known as live patching or dynamic software updating, is the application of patches without shutting down and restarting the system or the program concerned. This addresses problems related to unavailability of service provided by the system or the program.[18] Method can be used to update Linux kernel without stopping the system.[19][20] A patch that can be applied in this way is called a hot patch or a live patch. This is becoming a common practice in the mobile app space.[21] Companies like Rollout.io use method swizzling to deliver hot patches to the iOS ecosystem.[22] Another method for hot-patching iOS apps is JSPatch.[23]

Cloud providers often use hot patching to avoid downtime for customers when updating underlying infrastructure.[24]

Slipstreaming

Slipstreaming is the act of integrating updates into the installation files of their original app, so that the result allows a direct installation of the updated app.[25][26]

The nature of slipstreaming means that it involves an initial outlay of time and work, but can save a lot of time (and, by extension, money) in the long term. This is especially significant for administrators that are tasked with managing a large number of computers, where typical practice for installing an operating system on each computer would be to use the original media and then update each computer after the installation was complete. This would take a lot more time than starting with a more up-to-date (slipstreamed) source, and needing to download and install the few updates not included in the slipstreamed source.

However, not all updates can be applied in this fashion and one disadvantage is that if it is discovered that a certain update is responsible for later problems, that update cannot be removed without using an original, non-slipstreamed installation source.

See also

References

  1. Thomson, Iain. "Virus (cough, cough, Petya) goes postal at FedEx, shares halted". https://www.theregister.co.uk/2017/06/28/fedex_tnt_express_virus_attack/. 
  2. "New Petya Distribution Vectors Bubbling to Surface". Threatpost. 28 June 2017. https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/. 
  3. "Deterministic Builds Part One: Cyberwar and Global Compromise | The Tor Blog" (in en). https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise. 
  4. Proffitt, Brian (2008) (in en). Introducing Ubuntu: Desktop Linux. Cengage Learning. ISBN 978-1598637656. https://books.google.com/books?id=Fe8LAAAAQBAJ&pg=PA141. Retrieved 11 July 2017. 
  5. Magazines, S. P. H. (2007) (in en). HWM. SPH Magazines. https://books.google.com/books?id=G-sDAAAAMBAJ&pg=PT96. Retrieved 11 July 2017. 
  6. Bragg, Roberta (2003). "5: Designing a Security Update Infrastructure". MCSE Self-Paced Training Kit (Exam 70–298): Designing Security for a Microsoft Windows Server 2003 Network. Redmond, WA: Microsoft Press. p. 5–12. ISBN 0735619697. https://archive.org/details/mcseselfpacedtra00brag_0. 
  7. "How Malicious Software Updates Endanger Everyone". american civil liberties union. https://www.aclu.org/how-malicious-software-updates-endanger-everyone. 
  8. 8.0 8.1 "Microsoft issues biggest software patch on record". Reuters. 2009-10-14. http://www.news.com.au/technology/story/0,28348,26208289-5014239,00.html. 
  9. "What is a Bug Fix? – Definition from Techopedia". http://www.techopedia.com/definition/18105/bug-fix. 
  10. In 2001 a long time IBMer wrote "I thought it was now Product Temporary Fix." "Should APARs be accepted". https://groups.google.com/d/topic/bit.listserv.ibm-main/Ir_Jp8C50KM. 
  11. Nonetheless PROGRAM temporary fix is still in use. "Traps do not process for CiscoAPIC models in CA Spectrum". September 11, 2017. https://support.ca.com/us/knowledge-base-articles.TEC1984606.html. 
  12. IBM Corporation. "IBM Security: APARs explained". https://www.ibm.com/support/pages/ibm-security-apars-explained. Retrieved Oct 14, 2019.  a formal report from IBM development to customers that have notified IBM of a problem or suspected defect.
  13. Cite error: Invalid <ref> tag; no text was provided for refs named Gabe
  14. One counterexample is Microsoft SQL Server 2000 Service Pack 3a
  15. Example of Service Pack list of changes for a multi-module/multi-mode software product: Trainz SP2 involved feature changes and bug fixes
  16. Trainz Railway Simulators Service Packs Table versus major release version titles
  17. Scorpia (April 1994). "So You Want To Be A Hero?". Computer Gaming World: 54–58. http://www.cgwmuseum.org/galleries/index.php?year=1994&pub=2&id=117. 
  18. "Oracle Magazine". Oracle.com. http://www.oracle.com/technology/oramag/oracle/07-sep/o57field.html. 
  19. "Live patching the Linux kernel". https://developer.ibm.com/technologies/linux/tutorials/live-patching-the-linux-kernel/. 
  20. "Linux Kernel Live Patching: What It is and Who Needs It". 6 March 2020. https://www.infosecurity-magazine.com/blogs/linux-kernel-live-patching/. 
  21. "Hot or Not? The Benefits and Risks of iOS Remote Hot Patching « Threat Research Blog". https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html. 
  22. Perez, Sarah (22 September 2015). "Rollout.io Puts Mobile Developers Back In Control Of Their Apps". https://techcrunch.com/2015/09/22/rollout-io-puts-mobile-developers-back-in-control-of-their-apps/. 
  23. "bang590/JSPatch". https://github.com/bang590/JSPatch. 
  24. "Hot Patching SQL Server Engine in Azure SQL Database" (in en). 2019-09-11. https://techcommunity.microsoft.com/t5/Azure-SQL-Database/Hot-Patching-SQL-Server-Engine-in-Azure-SQL-Database/ba-p/849700. 
  25. Karp, David (14 July 2008). "Build an XP SP3 Recovery Disc". Ziff Davis. https://www.pcmag.com/article2/0,2817,2325399,00.asp. 
  26. Thurrott, Paul (7 May 2008). "Slipstreaming Windows XP with Service Pack 3 (SP3)". Penton. http://winsupersite.com/article/windows-xp2/slipstreaming-windows-xp-with-service-pack-3-sp3-128464. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Software_update&oldid=3988854"