The IT Law Wiki


A patch (also sofware patch) is a

[s]egment of program code (individual statements or routines) added to the body of a completed computer program to enhance or amend the program.[1]
modification to software that fixes an error in an application already installed on an IS, generally supplied by the vendor of the software.[2]
[a] software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.[3]
piece of software designed to fix problems with, or update, a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs and improving the usability or performance.[4]


"Software patching is a long-standing practice in computing: in its original form, the term 'patching' was quite literal, as software patches for systems processing punch cards consisted of replacement paper segments to be taped into an older deck."[5]


Often "[p]atches are developed and released by software vendors when vulnerabilities are discovered."[6] Patches may be made to a program over time, usually with little consideration given to documentation, readability of the code and logic, or meeting programming standards, if any, established for the program/system as a whole when it was first developed.

[a] patch is the immediate solution to an identified problem that is provided to users; it can sometimes be downloaded from the software maker's Web site. The patch is not necessarily the best solution for the problem, and the product developer often finds a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In many operating systems, a special program is provided to manage and track the installation of patches.[7]

"Though meant to fix problems, poorly designed patches can sometimes introduce new problems. As such, patches should be installed in a test environment prior to being installed in a live, operational system. Patches often can be found in multiple locations but should be retrieved only from sources agreed upon through organizational policy."[8]

Specific software categories[]

Proprietary operating system vendors (POSV) are constantly providing patches to mitigate vulnerabilities that are discovered. In fact, regularly scheduled monthly patches are published by many POSV to be applied to the appropriate operating system. It is also the case that POSV will, from time to time, publish security patches that should be applied on systems as soon as possible due to the serious nature of the vulnerability.

Systems running in a virtual environment are not exempted from patching. In fact, not only are the operating systems running in a virtual environment to be patched routinely, but often-times the virtualization software itself is exposed to vulnerabilities and thus must be patched either via a vendor-based solution or other technical solution.

Open source operating systems require patch and vulnerability management as well. Due to the open nature of these operating systems there needs to be a reliable distribution point for system administrators to safely and securely obtain the required patches. These patches are available at the specific vendorswebsite.


  1. U.S. Copyright Office, Compendium of Copyright Office Practices II, §326 (1984) (full-text).
  2. Practices for Securing Critical Information Assets, Glossary, at 56.
  3. Cyberspace Solarium Commission - Final Report, at 137.
  4. Criminal Justice Information Services (CJIS) Security Policy, Glossary, at A-11.
  5. Mobile Security Updates: Understanding the Issues, at 2 n.87.
  6. Information Security: Agencies Face Challenges in Implementing Effective Software Patch Management Processes, at 1.
  7. NIST Special Publication 800-45, Glossary, at A-2.
  8. Criminal Justice Information Services (CJIS) Security Policy, Glossary, at A-11.

See also[]