the "but muh security" argument is absolute horseshit 99% of the time. and the 1% that actually need it, are going well beyond automatic updates to secure their systems.
If you look at the background radiation of the Internet of automated things just hitting services to probe for exploits, they are most commonly looking for exploits from bugs in older software.
There's a timing argument - that unless you're at risk of zero days (like you're the DOD) - that you probably don't need to upgrade immediately. But it seems unarguable to me that the longer you wait, the greater the risk from a security perspective.
As always, security is a trade off. Risk of breaking from an update has to be balanced against risk of exploit. I'd argue the latter is going up more quickly than the former.
How many actual zerodays are there that don't require you to ALSO be doing something dumb per year? It seems exceedingly rare. I understand the argument if you're talking about like, a server running some CMS or whatever, sure that's gonna get pwned because it's a big target so it's worth going after. Your natted personal machine? You're fine unless you're running executable off random russian sites (and even then you're probably fine if you're getting your shit from reputable shady sites)
good thing i disable IPv6 at home because it's an annoying pita and i run no machines with windows in the cloud, checkmate :P
on a more serious note though I don't think machines with ipv6 enabled that are behind a NAT are likely to be vulnerable to this, i suppose maybe wormable if you can natpunch through some p2p voip or gaming service, it's the sort of patch i would probably install if i were made aware of it (if i had ipv6 enabled), but being made aware of it doesn't like, leave me worried, and i don't consider it to be likely to affect me unpatched
It's really not, I never upgrade anything and I haven't been pwned in like a decade. (Or maybe I have been pwned but not in a way that's affected me at all so you know, whatever)
While sibling comment is correct about the discussion I do have a few VPS I've had around for a while (<5 years with only password based SSH too because keys are annoying asf to manage when you're like, on your phone trying to do something etc) and I barely ever upgrade those and everything seems fine. They have DNS pointed at them too so it's not like they're secret in any way.
I suspect it's because I don't use many common software packages so the attack surface is small-ish.
so true - the few who are at risk of real exploits are already aware of this and do more than just system updates
I only let my browser autoupdate (somewhat reluctantly) since I view that as the most likely security issue on my winpc but when I used to let win10 autoupdate (and other garbage dell drivers), things would start breaking after each update
this also applies to phone app updates - I only update if there's a reason to, not just for the sake of updating...
and people wonder why I have the best working phone and pc at the office...
Boxes get popped all the time. Why are you painting such a dishonest picture?
> and people wonder why I have the best working phone and pc at the office...
Probably because you know about computers. Nothing to do with your poor security practice.
And this still doesn’t say anything about the explicitly absolutist advice in the parent comment. “No matter the circumstance, turn auto-update off! Just in case you want to partake in some piracy!”