Why companies should respond to Salesforce Critical Updates
Introduction Periodic updates pertaining to organization-wide limitations, governor limits, etc. are released by Salesforce to improve the usability, stability and system performance. Because these updates may affect the existing customizations, Salesforce lists them in “Critical Updates” and sends out an alert to the admins to review the updates when they go to set up. Each update can be manually activated or deactivated several times to evaluate its impact on the organization and modify the affected customizations accordingly. If the manual activation or deactivation is not done in a particular time frame, Salesforce auto activates the update permanently. Let me explain this with a few examples –
Example 1: Text Encrypted Formulae Field Suppose an admin has had a business use case wherein he needs to use a text encrypted formula field. But even though he used an encrypted field, data is visible, which is a security breach in Salesforce. To rectify this issue Salesforce would release critical updates, the same way as we get OS updates on our iPhone or Android devices. Some people might have already used this feature (text encrypted formula field), thinking it to be expected behavior. Now, if Salesforce imposes the updates all of a sudden, it impacts the business of the customer due to the existing customization done by them. Therefore, to avoid such impacts, Salesforce releases critical updates periodically and sends out an alert notification (to confirm) to all the admins asking them if they would manually update or let the system auto-update the fixes.
Example 2: Clickjacking in Visualforce Clickjacking is a type of attack that tricks users to click something, such as a button or a link because they perceive they are clicking something safe. Instead, the button or link performs malicious actions on your site, leading to data intrusion, unauthorized emails, changed credentials, etc. We can hack using JavaScript. By using session Id, we can update data in Salesforce. Some users might have used JavaScript and session Id intentionally. Now, as the update would impact these kinds of users who have intentionally used session Id, Salesforce sends out an alert/notification so that the user gets to look for possible workarounds. Salesforce usually releases these updates with every release, where