How I think about how important security updates are
Probably like many places, we weigh the potential or actual disruption of things like kernel updates against the risks of not updating when deciding how urgent applying them is. As part of this, I have developed a personal way of sorting security issues into different categories that I care about, with an end result ranging from not so bad to really bad (and if we are lucky, 'no impact, we can ignore').
For various reasons I feel like writing out the things I care about and look at today:
- is this a local only issue, or is it remotely exploitable?
- what's the consequence of the vulnerability?
What I usually care about is an escalating scale of denial of service (crash programs, lock the kernel, delete files), give access to files or information (for example, by being able to read kernel memory), or giving you root or other elevated privileges.
(For a remote attack, 'gives access' counts as elevated privileges.)
- what component is the vulnerability in?
Especially in something like the Linux kernel, a lot of the issues are in drivers and code that we don't come anywhere near, so they don't affect us at all.
(Note that this applies to more than just security issues; I tend to evaluate all bugs this way if the update is disruptive or potentially risky.)
Note that you should not get complacent about 'local only' security issues, because if you have a substantial user population you should just cut to the chase and assume that any attackers can have the keys to some of your local accounts. Plus, a local security issue makes a great way to leverage a small vulnerability in some network service into a huge gaping hole in your system.
(I've been there and dealt with that, and it was no fun at all.)
Also, it's important to understand that deciding not to upgrade is a risky decision for more reasons than the obvious. There have been any number of security vulnerabilities that turned out to be more exploitable than was initially believed.