Comment by tasuki
18 days ago
> So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.
Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.
Debatable. "I connected Windows XP to the Internet; it was fine" - https://news.ycombinator.com/item?id=40528117
One comment there points out that XP is old enough for infected attack vectors to have all died out. I dunno.
Anyone else noticed that we don't even GET patch notes anymore?
"Fixed some bugs" Yes thank you very helpful that! Now I can make a very informed decision.
2 replies →
I experienced this first hand in 2014. We got to a point where drive-by exploit kits just weren’t shipping IE8, Java 6 or Windows XP payloads anymore.
https://www.tomshardware.com/software/windows/idle-windows-x...
But good we are talking about my point rather than than the example.
3 replies →
You assume that the old software version has critical vulnerabilities. If it does not, then yes, updating is more of a risk since the new versions are unknowns.
My assumption is statistical. All software has critical vulnerabilities, not just the old ones. It’s just that these vulnerabilities are known, in the case of the old ones, which significantly increases the risk.
To be fair I doubt there are that many people scanning for internet facing XPs in 2026.
On the other hand, any server running old, unpatched versions of apache or similar will get picked up by script kiddies scanning for publicly known vulns very, very fast.
The notepad++ attack is politically targeted and done through unconventional channels (compromise in the hosting provider). I don't think 99% of the people reading this thread has a comparable threat model.
I don't know about Windows, but I've been running all kinds of outdated Linux (Debian mostly) and it never once caused a security problem.
Debian backports security patches.
It depends if the application itself touches the Internet or only when conducting updates.
The threat model for a server and for a personal computer are very different. On a consumer device, typically only the OS mail app and browser have direct contact with the outside world.
Steve from Security Now podcast has been specifically using Notepad++ as an example of not being able to leave good enough alone for years now. Can't wait to hear him claim his told you so next week.
Love notepad++ and will continue to use it.