How risky is it too offset Windows Update for a few days?

After Patch Tuesday, zero days become public vulnerabilities and can be taken advantage of by the crowd. Therefore it becomes doubly important to patch immediately and the obnoxious automatic Windows update reboot notification becomes justified.

However, many users (including me) keep procrastinating for a few days because too many things are open or something needs to be finished where a reboot requires too much setup time.

I wonder what the degree of danger is in such a situation, if I don't actively broadcast my IP address over a peer-to-peer application and just visit reputable websites (Twitter, Gmail etc.)

Right past Patch Tuesday, after what duration is the risk of an attack significant (say, >50%) with browsing activity where only reputable sites are visited?

Wuschelbeutel Kartoffelhuhn

Posted 2013-08-13T20:15:22.727

Reputation: 1 240

Answers

Honestly you don't have much to worry about. As long as you don't browse suspect sites and are behind a firewall you can delay Windows updates for some time. Many companies do not apply Windows updates for weeks or even a month or more. It's far more likely a Windows update breaks compatibility with an application, than the absence of one on your system letting a hacker into your computer.

Keltari

Posted 2013-08-13T20:15:22.727

Reputation: 57 019

if someone had your ip address and has an automated tool (that just tries to exploit all vulnerabilities) is being hacked almost certain? – Wuschelbeutel Kartoffelhuhn – 2013-08-13T20:45:25.883

no... many of these zero day exploits are very specific to an application or executable that are behind firewalls. An exploit isnt exploitable if its not reachable. – Keltari – 2013-08-13T20:47:56.087

browsing only reputable website mean nothing to current virus and hacking. Although it is true that window update break things more than help. company not apply window updates in 0 days usually have many other remedies, which are essential to cover up the holes, – None – 2013-08-14T10:57:52.307

1"Many companies do not apply Windows updates for weeks or even a month or more." — true, but what does that imply? Many companies are still on Windows XP. I wouldn't say that such implies that they understand what they're doing. – Arjan – 2013-08-14T11:30:06.523

"It's far more likely a Windows update breaks compatibility with an application". This is hardly the case anymore. You are comparing two very low risks. – Jan Doggen – 2013-08-14T11:36:29.400

This a question that only be answered considering a great deal of variables. You've given one - when browsing activity is only on reputable websites.

A number of questions arise in my mind when you say that.

Web browsing, while the most likely place to contract a virus, is not the only way. Are you 100% sure that all of your connections and downloads are secure (aside from using a browser)? What about Java applications aside from in-browser (a major source of zero-day infections)? What about email and phishing tactics? A better question would be: are you universally aware of all the connections your computer has at a given time, and are you aware of whether any given one is secure?
How are you absolutely sure that the websites you visist haven't been infected themselves? Remember that a webserver on the other side of the world can be infected just as easily as you can from a zero-day infection. Combine this factor with the first: are you omniscient to know whether all of the connections your computer has are to servers that are on top of their patches?

And again, there are certainly many more variables besides these two.

Ultimately, this comes down to practice. In choosing to not to patch immediately, what you are essentially saying is that your computer usage habits are completely foolproof. You are also assuming that all of the websites you trust have patched their vulnerabilities.

As to the real, hard number statistic of how vulnerable you are, that really depends on how true all those factors are. If your browsing habits and PC's connections are completely foolproof, if your trusted websites really have done their work, then your chances of infection are 0%. However if one of those falls short of perfection, your risk increases. By how much? Well, I believe the answer to that question is:

It depends!

Here's another way to ask this question: If I have a hole in my umbrella that I'm completely unaware of, will it rain? And what part of me will get wet?

Moses

Posted 2013-08-13T20:15:22.727

Reputation: 10 813

good point. assume java applets are disabled in the browser – Wuschelbeutel Kartoffelhuhn – 2013-08-13T20:42:20.637

1Right now your computer likely has around 75-150 active connections to remote servers. A) Are you aware of every single on them every moment of every day. and B) Are you also aware every moment of every day whether those connections are to servers that have patched their vulnerabilities. Hint: the answer is "no" :) – Moses – 2013-08-13T20:48:32.200

let's assume that the person in question has a reasonable level of IT knowledge (i.e., phishing doesn't happen, java applets arent opened etc.) – Wuschelbeutel Kartoffelhuhn – 2013-08-13T20:50:45.303

Certainly, the risk is lower if you practice safe browsing habits. But if you are looking for a zero percent chance of infection from a zero-day, then you have two options: 1) Become omniscient. 2) Patch immediately. – Moses – 2013-08-13T20:56:39.323

1You make a good point regarding what I suspected, namely, that it is highly volatile (due to #connections and their reliability). however, the other answer is also good because it gives you central tendency/trends/feel on how much you should worry about it if you practice safe browsing habits and have a firewall. – Wuschelbeutel Kartoffelhuhn – 2013-08-13T21:19:57.740

The umbrella thing is good, or you can say, what is the difference to return your umbrella to the shop for a less broken one. – None – 2013-08-14T10:49:49.167

1"Remember that a webserver on the other side of the world can be infected just as easily as you" — also: the ads they serve are often not in their control. – Arjan – 2013-08-14T11:28:16.360

It really depends on what the update is supposed to fix. @moses makes some very good points, but always remember that not all attack vectors are through your web browser.

One example of something that isn't necessarily related to your web browser at all, but is still potentially easily remotely triggerable even with a firewall in place, is a buffer overflow bug in the HTML rendering engine that your e-mail client uses. In such a case, if you can be tricked into previewing a malicious e-mail, it could trigger the bug and allow an attacker to gain a foothold on your system. As I recall, there was a buffer overflow bug in the WMF image file format decoder that was fixed not that long ago.

Such an attack likely won't be protected against by either antivirus or firewall software, although depending on the attack payload it might be possible to reduce the consequences of a successful attack by proper firewalling and/or having up-to-date antivirus software installed.

Right past Patch Tuesday, after what duration is the risk of an attack significant (say, >50%) with browsing activity where only reputable sites are visited?

Basically any system on the Internet gets hammered basically all the time. If you don't have at least a firewall in place and it isn't kept fully up to date with patches, it's likely to get broken into in fairly short order. I seem to recall someone doing an experiment of putting an unprotected Windows XP system on the Internet some time ago and watching how long it took before it got broken into. I think the time window was in the minutes.

a CVn

Posted 2013-08-13T20:15:22.727

Reputation: 26 553

If you have Antivirus (with update on) AND Firewall, you are safe (probably).

reason: AV company tend to provide update to cover MS problems (at best effort), even if you do not apply the patches.
If you have no Antivirus and firewall, you are at risk.

reason: Virus DO perform rootkit scan on internet, they will attempt to intrude every machine expose to internet if they can. A patch = a know exploit, = very large change to get infected.
If you have IDS (with update on), you are even more safe.

reason: it will detect any known hacking, virus infection activities.

user218473

Posted 2013-08-13T20:15:22.727

Reputation: