There's a lot more ways to exploit a Windows OS than JavaScript if you load websites at all. We won't even get into "if you ever read an email or open a document".
Sure, fonts local to my machine. Remote fonts can go to hell, and I've likewise got cookies and JavaShit all blocked as emails go because WTF does email need them for?
Seriously, my threat model doesn't include anything that updates claim to guard against. I'm not a fucking enterprise server, nor does any government specifically want my shit. Try arguing for me to update my router before talking about the virtues of Windows updates, at least that might alleviate random port scans and the like which are in my threat model.
I'm far more likely to get pwned by some service getting hacked and leaking my shit rather than /me/ getting hacked. People who scream at me that EOL Windows is dangerous can go pound sand, because they have no clue WTF they're crying about.
iframes are purely an HTML element. Of course, this flaw is patched in the latest Windows 7, but it's a great example of the potential risks nonetheless.
Seriously, my threat model doesn't include anything that updates claim to guard against. I'm not a fucking enterprise server, nor does any government specifically want my shit. Try arguing for me to update my router before talking about the virtues of Windows updates, at least that might alleviate random port scans and the like which are in my threat model.
I'm far more likely to get pwned by some service getting hacked and leaking my shit rather than /me/ getting hacked. People who scream at me that EOL Windows is dangerous can go pound sand, because they have no clue WTF they're crying about.