Software has bugs. Large scale software invariably has LOTS of bugs. Sometimes these bugs are bad enough that they provide an entrypoint for hackers to attack your system. We call these “Vulnerabilities”. When a hacker discovers and uses a vulnerability to attack your system that’s called an “Exploit”.

Security updates patch these bugs. Sometimes they’re found internally; Large companies have entire teams whose whole job is to find vulnerabilities in their own code. Sometimes they’re found externally, either by security researchers or hackers.

Security updates could either be patching a vulnerability that was found before an exploit was developed, or they could be fixing a vulnerability that is actively being exploited. Either way they’re very important. The longer your software goes unpached the more and more common attacks against it will become.

They fix security vulnerabilities in the OS that people found. The updates are intentionally vague because it’s a security risk to say what the security risk is

Imagine a company with an extremely diligent secretary who carries out instructions perfectly but doesn’t put any thought into it.

Your company provides a remote copying service. Clients mail a form that says, “please copy ten pages” and include ten pages of material. You tell the secretary to take these forms, copy the requested number of pages, and mail the results back.

This works fine. Then one day a clever person wonders what happens if you don’t include all the pages. They mail a form that says “please copy twenty pages” but only include one page. The secretary gets this and handles it like the rest. After the first page, they just keep going. Since no more pages were provided, the secretary just grabs the next page they happened to have lying around on the desk, then the next, etc. They mail the results back the the client, who receives one page copied from their request, and 19 pages copied from random stuff on the desk, including some confidential material sent by other clients. Oops!

This is basically what the Heartbleed vulnerability was. The security update was essentially telling the secretary, “when you get one of those copy forms, don’t copy more pages than were included with the form.”

More broadly, security vulnerabilities happen when someone figures out how to trick the computer into doing something it shouldn’t. Security updates give better instructions to the computer so that trick no longer works.

Let’s say I build birdhouses.

I build them for a while and I’ve sold many, but someone tells me there is a flaw. I used nails instead of screws, and if they mess with it just right, the nails will fall out and it’ll do something that birdhouses aren’t supposed to do, like fall apart.

A security patch would be like me calling up every person I sold a bird house, and offering to fix it by replacing all nails with screws.

Essentially someone wrote code in a component that has a fundamental flaw, and a patch will replace that entire component with corrected code.