Why "I'll Update Later" Is Dangerous

"An update is available" - do you keep dismissing this notification on your smartphone or computer with "later" or "I'll do it tomorrow"? The truth is, the longer you postpone an update, the more your device becomes an attractive target for attackers.

What's Inside an Update - It's Not Just New Features

Software updates generally contain three types of changes.

  • New features: New camera capabilities, design changes, etc. Visible changes
  • Bug fixes: Fixes for app crashes, display glitches, and other issues
  • Security patches: Fixes for discovered vulnerabilities (security holes). Invisible but the most important

Many people think updates are about "adding new features," but in reality, security patches are the most critical component.

Zero-Day Attacks - Exploited Before a Fix Exists

An attack carried out between the discovery of a software vulnerability and the release of a fix is called a "zero-day attack." "Zero days until a fix" means there's no countermeasure available.

What's even more dangerous is the period after a patch is released. By analyzing the patch contents, attackers can figure out "where the vulnerability was." They launch attacks targeting users who haven't updated yet, right after the patch goes public.

In other words, from the moment an update is released, the attack risk for unpatched devices skyrockets.

Famous "Didn't Update" Incidents

WannaCry Ransomware (2017)

A ransomware attack that infected over 230,000 computers across 150 countries. It exploited a Windows vulnerability, but Microsoft had released a patch for this vulnerability two months before the attack. Computers that had applied the patch were not infected.

In the UK's National Health Service (NHS), many hospitals still running old Windows XP were infected, forcing surgery cancellations and emergency patient transfers.

Equifax Data Breach (2017)

An incident where personal information of 147 million people was leaked from the American credit bureau Equifax. The cause was a failure to apply a vulnerability patch for Apache Struts software for two months. This type of failure in third-party software components is closely related to supply chain attacks, where vulnerabilities in dependencies cascade into larger breaches.

Enable Automatic Updates

  • Smartphones: Both iOS and Android have automatic update features. The recommended setting is to update automatically overnight when connected to Wi-Fi
  • Computers: Set Windows Update and macOS Software Update to automatic
  • Browsers: Chrome, Firefox, and Edge auto-update by default. Don't manually disable this
  • Apps: Enable automatic updates in the App Store and Google Play
  • VPN software: Keep your VPN client updated too. An outdated VPN with a broken kill switch can silently expose your traffic

The concern that "updating might cause problems" is understandable, but the risk of not updating is far greater.

Summary

Update notifications aren't "new feature announcements" - they're "emergency repairs to plug security holes." After a patch is released, the attack risk for unpatched devices surges. Both WannaCry and Equifax were incidents that could have been prevented by applying patches. Enable automatic updates and apply them as soon as possible when notifications appear. You can check whether your current connection has any obvious security concerns using IP確認さん, which scores your security posture based on your IP address and browser configuration.

Related Terms in This Article

HTTPS Browser updates also include fixes for HTTPS vulnerabilities. IP Address Attackers exploiting vulnerabilities scan IP addresses to find unpatched devices. VPN Updating VPN software itself is also important. VPN vulnerabilities can lead to severe damage.