HolyGhost logoHolyGhost
← cd ..
Learn

What Is Patching, and Why Is It the Boring Fix That Actually Works?

Most breaches exploit vulnerabilities that were already fixed. A beginner friendly guide to what patching is, why it matters so much, and how teams keep on top of it.

HolyGhost··9 min read

Imagine your car maker sends you a letter. They have discovered that a certain lock on your model can be popped open with a bent piece of wire, and thieves already know the trick. The good news is your local garage will fit the fix for free, and it takes twenty minutes. The bad news is that until you actually drive down there and get it done, your car is sitting in the street with a known weakness that anyone who read the same news can exploit. The letter does nothing. The fix only counts once it is fitted.

Patching is the digital version of that garage visit, and it is the least glamorous topic in all of security while quietly being one of the most important. A huge share of real world breaches do not rely on some dazzling, never before seen attack. They exploit a known flaw that a patch had already been released for, sitting on a system that nobody got around to updating. This is what patching is, why it matters so much, and why it is trickier in practice than it sounds.

What a patch is

A patch is an update to a piece of software that fixes something. Often it fixes a security vulnerability, which is simply a weakness or flaw that an attacker could abuse. Sometimes a patch fixes an ordinary bug, or adds a new feature. The word comes from the old habit of literally sewing a patch of fabric over a hole in clothing. The idea is the same: there is a hole, and the patch covers it.

Here is the life cycle in its simplest form:

Vulnerability found  ->  vendor releases patch  ->  you apply it  ->  hole closed

The vendor is just the company or project that makes the software, for example Microsoft for Windows or the team behind an open source library. When a flaw is discovered in their product, they write a correction and release it as a patch. Applying that patch to your own systems is what removes the weakness.

Simple in theory. The trouble lives entirely in the gap between "patch released" and "patch applied". That gap is a window of time, and while it is open, the danger is very real.

Why it matters so much

Here is the part that surprises people new to security. Attackers are not mostly hunting for exotic, secret flaws. They love known vulnerabilities, because known flaws are reliable, well documented, and easy to exploit at scale.

Think about what happens the moment a patch becomes public. The patch itself is a description of the problem. An attacker can download it, study exactly what changed, and reverse engineer the flaw it was fixing. From there they build an exploit, which is a piece of code or a technique that actually takes advantage of the weakness. Then they scan huge swathes of the internet looking for machines that have not updated yet. The attacker is quite literally racing the defenders, and every unpatched machine is a prize.

Two famous cases make this painfully concrete:

  • EternalBlue had a patch available roughly two months before the WannaCry outbreak swept across the world in 2017. The organisations that fell had simply not applied it. The fix existed and was free; the machines were unpatched.
  • Log4Shell set off a global scramble at the end of 2021 precisely because the fix existed and attackers raced everyone else to the systems that had not caught up yet.

In both cases the defenders were handed the answer in advance. The breaches happened in the gap.

Zero day versus known

A zero day is a flaw with no patch available yet, so named because defenders have had zero days to prepare. Zero days are rare, valuable, and grab all the headlines. But far more real attacks use known vulnerabilities, the ones with a patch already out. The dramatic thing and the common thing are not the same thing. Staying current on known issues is what stops the large majority of actual attacks.

How a flaw becomes public knowledge

It helps to know where these known vulnerabilities come from and how everyone hears about them. When a serious flaw is found, it is usually given a CVE identifier, which stands for Common Vulnerabilities and Exposures. A CVE is just a unique reference number, something like CVE-2021-44228, so that everyone in the world can talk about the exact same flaw without confusion.

Each one also tends to get a severity score out of ten under a system called CVSS, the Common Vulnerability Scoring System. A score near ten means "drop everything", while a low score means "fix it when convenient". These numbers are how teams decide what to deal with first, which we will come back to shortly.

Why it is harder than it sounds

If patching is so effective and often free, why on earth does anyone fall behind? Because in the real world it is almost never one click, and the reasons are worth understanding rather than judging.

  • Uptime. Applying a patch sometimes requires restarting the software or the whole machine, which means downtime. For a system that thousands of people or a hospital or a payment network depend on every second, "we will just reboot it" is not a casual decision.
  • Compatibility. An update occasionally breaks something else that relied on the old behaviour. A patch to one component can knock over an application sitting on top of it. That is why important patches need testing before they go everywhere, which takes time.
  • Scale and visibility. You cannot patch what you do not know you have. A single large organisation might run tens of thousands of machines and countless pieces of software, some installed years ago by people who have long since left. Just keeping an accurate list is a genuine struggle.
  • Legacy systems. Old software sometimes reaches the point where the vendor stops releasing patches at all, which is called reaching end of life. When no patch will ever come, the organisation faces hard choices about isolating the system away from danger or replacing it entirely, both of which cost money and effort.

Testing is not optional for critical systems

It is tempting to think the safe move is always to patch instantly. Usually it is, but a patch that breaks a hospital's records system or a factory's control software can cause harm too. The answer is not to skip patching, it is to test critical patches quickly in a safe copy of the environment first, then roll them out without dawdling. Speed and care are not enemies here, they are partners.

How teams stay on top of it

This is where patch management comes in. The phrase just means treating patching as a repeatable, disciplined process rather than something you do in a panic whenever the news gets scary. A sensible process has four steps.

  1. Inventory. Know exactly what you run, including versions and dependencies. A dependency is a smaller piece of software that a bigger one relies on, often buried out of sight. A software bill of materials, sometimes shortened to SBOM, is a full ingredient list of what is inside your software, and it lets a team answer "are we even affected by this new flaw?" in minutes instead of days.
  2. Prioritise. You cannot patch everything at once, so you rank by risk. The key questions are how severe the flaw is (that CVSS score), whether it is being actively exploited right now in the wild, and whether the affected system is internet facing, meaning reachable from the open internet rather than tucked away inside a private network. A severe flaw, under active attack, on an internet facing box, goes straight to the top.
  3. Test, then deploy. Check that important patches do not break anything, then roll them out across the estate, automating the process wherever it is safe to do so. Automation matters at scale because doing it by hand across thousands of machines simply does not finish in time.
  4. Verify. Confirm the patch actually applied everywhere it was meant to. This step is quietly the most important, because a patch you believe you deployed but which silently failed on a hundred machines is the most dangerous situation of all. You now have a false sense of safety plus a hundred open holes.

You will often hear all of this discussed under the broader banner of vulnerability management, which is the ongoing cycle of finding weaknesses, deciding which matter most, fixing them, and checking the fix stuck. Patching is the fixing step, and it is where the rubber meets the road.

The same logic applies to your own devices

This is not just an enterprise concern. Those update prompts on your phone, laptop, and browser are patches too. Turning on automatic updates for your personal devices is one of the single highest value security habits you can build, and it costs you almost nothing but a little patience while things restart.

The takeaway

Patching is the act of applying the fixes that vendors release, and it matters because most successful attacks exploit known flaws that already had a patch, on systems that fell behind. Attackers actively study public patches, build exploits, and race to find the machines that have not caught up, which is why the gap between "patch released" and "patch applied" is where so much damage happens. It is harder than it looks because of uptime, compatibility, and visibility challenges, which is exactly why serious teams run it as a disciplined process: inventory what you have, prioritise by real risk, test the important ones, deploy, and then verify it truly landed. It will never be exciting, and it will never trend on the news. But keeping current is one of the highest impact, most reliable things anyone can do for security, from a global bank right down to the phone in your pocket.