> drive-by system takeover isn't on your threat list?
How would that "drive-by system takeover" happen?
AFAIK, Windows 7 came with its network firewall enabled by default, so most services wouldn't be exposed to the network. And that network is often a local network, with another firewall separating it from the rest of the Internet. For many users, the only exposed attack surface would be the web browser itself.
Firefox is I believe the last browser here to announce dropping Windows 7, but a ton of web-connected OS features in Windows 7 use Internet Explorer to load content, and dangerously outdated IE at that. At least with Windows 8, also a bad idea, many of those connected features use the legacy Edge engine which is (marginally) better.
Nope. The machine's behind a router and its own firewall. Most JavaShit is disabled in the web browsers. Why would a drive-by attack be in my threat model?
There's a lot more ways to exploit a Windows OS than JavaScript if you load websites at all. We won't even get into "if you ever read an email or open a document".
Sure, fonts local to my machine. Remote fonts can go to hell, and I've likewise got cookies and JavaShit all blocked as emails go because WTF does email need them for?
Seriously, my threat model doesn't include anything that updates claim to guard against. I'm not a fucking enterprise server, nor does any government specifically want my shit. Try arguing for me to update my router before talking about the virtues of Windows updates, at least that might alleviate random port scans and the like which are in my threat model.
I'm far more likely to get pwned by some service getting hacked and leaking my shit rather than /me/ getting hacked. People who scream at me that EOL Windows is dangerous can go pound sand, because they have no clue WTF they're crying about.
iframes are purely an HTML element. Of course, this flaw is patched in the latest Windows 7, but it's a great example of the potential risks nonetheless.