Why Update??

Sure, there are some critical security updates among the updates, while other updates fix certain problems people are having. If you're not one of those people, then you may not need that update. But if you have problems you'll be grateful for such an update. Basically, if Microsoft would come out with Windows 7 today, they would include all those updates and fixes that have come out so far since the actual release of Windows 7. And then you'd be here asking the same question a year or more from now... see? All past progress made by Microsoft is part of Windows 7 as you have it now, and updates have always been an integral part of that. So in the sense of the overall product, its security, its compatibility, its performance, YES, updates are an important part of all this. If your PC or laptop is running fine and you never have a problem, then that is great for you. It doesn't mean you'll even have to install an update at all... so it may not be necessary for you.

But to answer you more specifically: yes, I can see how you feel like you *should* be installing all these updates, seeing how people on here are talking about them and hunting for them. As far as the people who install every update on a current install (or use live update for that matter), I honestly don't get it either, to me that is a waste of time. The only reason I go after updates is because I often make integrated Windows 7 images to install from, and those I'd like to be up to date to the moment in time I create them. But as far as applying updates to a live, current install, I don't do that either, so I'm sorta with you on that. Although, I would probably not go an entire year without updating my install, but then again my installs usually don't last very long as I install a lot. But this is like hobby stuff for most people, they like doing this, it's not that it is necessary at all (or even making sense in most cases, lol). So don't worry, it's just the hobbyists (and addicts, I might add) that go after these updates like that. Sorry to say I'm kind of one of them...

 

While I agree that it may just by hobbyists that go crazy for early access to updates and so on, I think we should try to separate that fervour from "regular" security updates.

If you're not installing security fixes, then your system is like swiss cheese (riddled full of holes) for viruses, trojans and backdoors. Even if you have a third-party firewall and antivirus program installed, by neglecting to keep the Windows components secure, your system has a much higher exposure level than a patched system.

I remember back in the early days of XP (before the first service pack). I would install XP, then go online to download security patches. However, my system would keep rebooting itself within 5 minutes of being connected. Well, it turned out to be a trojan infecting my system simply due to being online. Of course, a router or active firewall (since XP RTM had no firewall enabled by default) would have helped, but perhaps you can see the point I'm making.

 

You sound like an anti-malware company trying to scare people into buying their products. The fact of the matter is, the vast majority of security vulnerabilities are not that dangerous.

Each Patch Tuesday, the Microsoft security team posts a pretty, color-coded chart of that month's patches. Look at that chart, and pay attention only to those marked as "RCE" (remote code execution). Of those RCE bugs, ignore those that affect components that you don't have installed or are inactive (e.g., IIS). Of those bugs that remain, pull up the full security bulletin for the bug on TechNet and read the details about how they are triggered. Be sure to also read the mitigating details, if there are any (e.g., it might say something along the lines of "this bug is RCE only if conditions A, X, and Z are met, otherwise, it's just an EoP bug").

The truly scary bugs (connect-to-the-network-and-you're-pwned) are those that meet all of these conditions: (1) RCE bugs that do not require authentication (2) do not require any user action (e.g., you don't need to visit a malicious website) and (3) don't require any special or unusual conditions in order to be exploited as a RCE bug. These bugs are very rare. And, since the release of XP nearly a decade ago, there have only been three pieces of malware based on these sorts of bugs: blaster/welchia, sasser, and conficker (your thing about an unpatched XP being instantly infected is probably blaster, which actually happened between SP1 and SP2, not SP0 and SP1). And in all of these cases, the attack could come from outside the local network only if the router opened the appropriate ports (so for a NAT router, attacks from outside your local network could happen only if your SMB/RPC ports were explicitly set to be port-forwarded). (However, if your local network is a large network with many untrusted machines, like, say, a university dorm network, then this won't be much of a mitigation.)

The next class of bugs that I worry about (though they are not nearly as dangerous/scary) are those that require a plausible user action. For example, a bug that is triggered by visiting a malicious website (or a good website that had been secretly compromised) using any browser (e.g., a font bug) would worry me. Ones limited to IE don't (since I use Firefox exclusively).

All other security bugs don't concern me.

You see, I have a system that I keep running every minute of every day. It's a headless (no monitor, keyboard, or mouse) low-power (less than 20W) Atom nettop running the client (not server) edition of Windows that I control via Remote Desktop. I use this system as a SSH and Apache server (both port-forwarded and open to the outside world), as a local file server, for P2P, and for scheduled recordings of TV shows in Media Center (and WMC is one reason why I don't use a server SKU). And I do not like to reboot it. So each PT, I check the bulletin, and I patch and reboot only if necessary. And since I don't browse the web from it, I don't care about those user-action-required bugs, either. I think the longest I've gone without rebooting or patching is a bit over a year (and then, it was only a loss of power that forced me to). Oh, and I don't have AV, I have Defender disabled, and the firewall service disabled (if you're behind a NAT router, the software firewall is only protecting you from other computers on your own network).

Once you know a little about malware, how they exploit and spread, and just how various bugs play a role in that, the world will seem a lot less dangerous than what the sensationalist (and almost always poorly-informed) media would have you believe.

 

Just like the Zero-day attack.