How risky is it too offset Windows Update for a few days?

Question

After Patch Tuesday, zero days become public vulnerabilities and can be taken advantage of by the crowd. Therefore it becomes doubly important to patch immediately and the obnoxious automatic Windows update reboot notification becomes justified.

However, many users (including me) keep procrastinating for a few days because too many things are open or something needs to be finished where a reboot requires too much setup time.

I wonder what the degree of danger is in such a situation, if I don't actively broadcast my IP address over a peer-to-peer application and just visit reputable websites (Twitter, Gmail etc.)

Right past Patch Tuesday, after what duration is the risk of an attack significant (say, >50%) with browsing activity where only reputable sites are visited?

Answer 1

This a question that only be answered considering a great deal of variables. You've given one - when browsing activity is only on reputable websites.

A number of questions arise in my mind when you say that.

1. Web browsing, while the most likely place to contract a virus, is not the only way. Are you 100% sure that all of your connections and downloads are secure (aside from using a browser)? What about Java applications aside from in-browser (a major source of zero-day infections)? What about email and phishing tactics? A better question would be: are you universally aware of all the connections your computer has at a given time, and are you aware of whether any given one is secure?

2. How are you absolutely sure that the websites you visist haven't been infected themselves? Remember that a webserver on the other side of the world can be infected just as easily as you can from a zero-day infection. Combine this factor with the first: are you omniscient to know whether all of the connections your computer has are to servers that are on top of their patches?

And again, there are certainly many more variables besides these two.

Ultimately, this comes down to practice. In choosing to not to patch immediately, what you are essentially saying is that your computer usage habits are completely foolproof. You are also assuming that all of the websites you trust have patched their vulnerabilities.

As to the real, hard number statistic of how vulnerable you are, that really depends on how true all those factors are. If your browsing habits and PC's connections are completely foolproof, if your trusted websites really have done their work, then your chances of infection are 0%. However if one of those falls short of perfection, your risk increases. By how much? Well, I believe the answer to that question is:

It depends!

Here's another way to ask this question: If I have a hole in my umbrella that I'm completely unaware of, will it rain? And what part of me will get wet?

Answer 2

Honestly you don't have much to worry about. As long as you don't browse suspect sites and are behind a firewall you can delay Windows updates for some time. Many companies do not apply Windows updates for weeks or even a month or more. It's far more likely a Windows update breaks compatibility with an application, than the absence of one on your system letting a hacker into your computer.

Answer 3

It really depends on what the update is supposed to fix. @moses makes some very good points, but always remember that not all attack vectors are through your web browser.

One example of something that isn't necessarily related to your web browser at all, but is still potentially easily remotely triggerable even with a firewall in place, is a buffer overflow bug in the HTML rendering engine that your e-mail client uses. In such a case, if you can be tricked into previewing a malicious e-mail, it could trigger the bug and allow an attacker to gain a foothold on your system. As I recall, there was a buffer overflow bug in the WMF image file format decoder that was fixed not that long ago.

Such an attack likely won't be protected against by either antivirus or firewall software, although depending on the attack payload it might be possible to reduce the consequences of a successful attack by proper firewalling and/or having up-to-date antivirus software installed.

Right past Patch Tuesday, after what duration is the risk of an attack significant (say, >50%) with browsing activity where only reputable sites are visited?

Basically any system on the Internet gets hammered basically all the time. If you don't have at least a firewall in place and it isn't kept fully up to date with patches, it's likely to get broken into in fairly short order. I seem to recall someone doing an experiment of putting an unprotected Windows XP system on the Internet some time ago and watching how long it took before it got broken into. I think the time window was in the minutes.

Answer 4

1. If you have Antivirus (with update on) AND Firewall, you are safe (probably).

   reason: AV company tend to provide update to cover MS problems (at best effort), even if you do not apply the patches.

2. If you have no Antivirus and firewall, you are at risk.

   reason: Virus DO perform rootkit scan on internet, they will attempt to intrude every machine expose to internet if they can. A patch = a know exploit, = very large change to get infected.

3. If you have IDS (with update on), you are even more safe.

   reason: it will detect any known hacking, virus infection activities.