In May 2017, ransomware called WannaCry infected over 200,000 computers across 150 countries in a matter of days. The UK’s National Health Service was forced to cancel over 19,000 appointments and turn away ambulances from affected hospitals. The Spanish telecommunications giant Telefónica was hit. FedEx lost over $300 million in the aftermath. The estimated total damage ran to billions of dollars. The attack did not exploit a sophisticated zero-day vulnerability that defenders had no way of knowing about. It exploited a vulnerability in Windows that Microsoft had released a patch for two months earlier. Every infected computer could have been protected. None of them had applied the available update.
WannaCry is the most dramatic example of a pattern that repeats constantly at every scale. Most successful cyberattacks — against corporations, governments, and ordinary individuals — do not use exotic unknown techniques. They exploit known vulnerabilities that have already been fixed, on systems where the fix was simply never applied.
Understanding Why Vulnerabilities Exist and How Patches Work
Software is built by humans working under time constraints, and every piece of software contains imperfections. Some imperfections are cosmetic — a minor layout issue, a feature that behaves slightly differently than intended. Others are security vulnerabilities: flaws in the code that can be exploited by an attacker to gain unauthorized access to a system, execute malicious code, steal data, or install malware without the user’s knowledge.
When a security vulnerability is discovered — either by the software’s own development team, by independent security researchers, or unfortunately sometimes by attackers first — the developers create a patch: a targeted fix that closes the specific gap. They release this patch as part of a software update. Users who install the update are protected. Users who do not remain vulnerable.
The dangerous window is the gap between patch release and device update. When Microsoft releases a security patch, the changelog that security researchers use to prioritize their defenses also inadvertently informs attackers of exactly which vulnerability was fixed. Attacks targeting that vulnerability — on systems that have not yet patched — typically spike sharply in the hours and days following a patch release.
The Specific Risks of Delaying Updates
The consequences of unpatched software range from complete device compromise to quiet long-term surveillance. Some specific real-world impacts worth understanding:
Ransomware installation: WannaCry is the most famous example, but hundreds of ransomware campaigns target known unpatched vulnerabilities. Ransomware encrypts all your files and demands payment for the decryption key — typically several hundred to several thousand dollars, with no guarantee of recovery even after payment.
Spyware and keyloggers: Some exploits install software that silently monitors your activity — recording keystrokes (capturing passwords as you type them), taking periodic screenshots, or accessing your webcam and microphone. This can occur without any visible indication on your device.
Data theft: Vulnerabilities in browsers, PDF readers, or office software are commonly exploited to exfiltrate personal documents, financial records, or stored credentials when a user opens a malicious file.
Botnet recruitment: Compromised devices are often added to botnets — networks of infected computers used to send spam, conduct distributed denial-of-service attacks, or mine cryptocurrency — without the owner’s awareness.
According to Malwarebytes research, over 30% of Android devices in the first half of 2025 were running outdated operating systems incapable of receiving current security patches. These devices remain vulnerable to attack methods that have long been fixed for updated users.
Which Updates Actually Matter
Not all updates carry the same urgency. Understanding the priority hierarchy helps manage update fatigue without creating dangerous gaps:
Operating system updates (Windows, macOS, iOS, Android): Highest priority. These patch the core layer that everything else runs on. Security-critical OS patches should be applied within days of release.
Browser updates (Chrome, Firefox, Safari, Edge): Second highest priority. Your browser is the most active attack surface for web-based threats. Browsers release security updates frequently and most auto-update — verify that auto-update is enabled.
Apps that connect to the internet: Email clients, messaging apps, office software, PDF readers, and any app that processes external content should be kept updated. These are common targets for exploitation via malicious file attachments.
Firmware updates for routers and smart devices: Often overlooked but important. Router firmware updates patch vulnerabilities that could allow attackers to intercept your network traffic or access connected devices.
How to Enable Automatic Updates on Every Platform
Windows: Settings → Update & Security → Windows Update → Advanced Options → enable “Receive updates for other Microsoft products” and “Automatic (recommended)”. For app updates, open the Microsoft Store → Library → Get Updates.
macOS: System Settings → General → Software Update → enable “Install macOS Updates” and “Install app updates from the App Store.”
iPhone / iPad: Settings → General → Software Update → Automatic Updates → enable both “Download iOS Updates” and “Install iOS Updates.” For app updates: Settings → App Store → enable “App Updates.”
Android: Settings → System → System Update (varies by manufacturer). For app updates: Google Play Store → Profile icon → Manage Apps & Device → Update All.
Recognizing and Avoiding Fake Update Prompts
A significant category of malware is distributed through fake update alerts. Pop-ups appearing in your browser claiming “Your Adobe Flash Player is out of date,” “Critical Chrome update required,” or “Your Java needs immediate updating” are almost universally malicious. These prompts are designed to look like legitimate software update dialogs but actually install malware when clicked.
Legitimate software updates happen through the operating system’s built-in update mechanism or the application’s own menu (Help → Check for Updates, for example) — never through browser pop-ups. When you see such a prompt, close it, and check for legitimate updates through official channels directly. Adobe Flash has been discontinued since 2020; any prompt referencing it is definitively malicious.
Frequently Asked Questions
Q: Do updates slow down my device?
A: This is a common concern, particularly on older devices. Modern updates are generally optimized to improve performance alongside fixing security issues. Occasionally a specific update may cause compatibility issues with older hardware, but the risk of this is far outweighed by the security risk of remaining unpatched. If a specific update causes noticeable problems, the developer typically releases a follow-up fix quickly.
Q: What if I’m using software that no longer receives updates (like Windows 7)?
A: Unsupported software is a serious, ongoing security risk. Microsoft ended support for Windows 7 in January 2020, meaning known vulnerabilities discovered since then have received no patches. Running Windows 7 on an internet-connected computer today means those vulnerabilities are permanently exploitable. The appropriate action is to upgrade to a supported operating system. If the hardware cannot support a current Windows version, consider installing a lightweight Linux distribution, which can run on older hardware and continues to receive security updates.
Q: How do I know if an update notification is real or a scam?
A: Legitimate update notifications come from: the operating system’s own notification system (the Windows Update panel, macOS Software Update, iOS Settings), the application’s own menu bar (Help → Check for Updates), or the platform’s official app store (Microsoft Store, Mac App Store, Google Play, App Store). Any update prompt that appears as a browser pop-up, an unsolicited email, or a pop-up from a website you are visiting should be treated as suspicious and ignored.
