Are Software Updates Useless against Advanced Persistent Threats?

A dilemma derived from Shakespeare's Hamlet is increasingly haunting company and security researchers: "to update or not to update, this is the question." From the perspective of recommended common practices by software vendors the answer is unambiguous: You should keep your software up to date.⁸ But is common sense always good sense? We argue it is not.

Last year in a Communications article,⁴ Poul-Henning Kamp argued these industry best practices do not seem to work and a more radical reform is needed. In the same year, Massacci et al. recalled the SolarWinds attack was funneled by an update⁵ and a follow-up article⁷ indicated the recent protestware attacks are also channeled through updates.