Comment by giantfrog
19 hours ago
How the hell are most people supposed to balance the risk of not updating software against the risk of updating software?
19 hours ago
How the hell are most people supposed to balance the risk of not updating software against the risk of updating software?
It's a hard decision, I would say a cooldown by default in the last few months would have prevented more attacks than not upgrading to the latest version due to an immediate RCE, zero-click, EPSS 100%, CVSS 10.0, KEV mentioned Zero Day CVE. But now that the Mythos 90 days disclosure window gets closer, I don't know what tsunami of urgent patches is in our way... it's not an easy problem to solve.
I lean toward cooldown by default, and bypass it when an actual reachable exploitable ZeroDay CVE is released.
Use a package repository that fast-tracks security updates, like Debian Stable.