You should always be automatically (or ASAP) updating all of the software on your system. The operating system, your office suite, chat programs, your web browser. If there’s an update for it, you should probably be applying it. I’m not saying you necessarily need to upgrade your software, but you do need to keep it updated.
Updates and upgrades are small patches released by the vendor to fix something. They may fix one little thing, or they may fix a whole bunch of things and add features – it’s completely dependent on the vendor.
Security updates are to fix a known vulnerability and/or exploit. Many times, in the description of the update you’ll see something like “fixes CVE-2013-3940” with a link to the vulnerability. CVE is the common vulnerabilities and exposures database, which is also run by NIST as the National Vulnerability Database (NVD). If you’re feeling technical, you can go read what the issue is, but it also gives an Impact of the vulnerability – which gives you an idea of how important it is to apply the update. The higher the number, the faster you should apply the update!
If you do not apply the updates, your system is now vulnerable to a known attack, and many attacks have a corresponding exploit or Proof of Concept (PoC) code that is semi-public, so you can be sure that someone will be trying it out on random or targeted computers. Just because you haven’t updated doesn’t mean that you will be attacked or that you will be compromised. You have other protections in place to limit access to your system: like a firewall, or anti-virus. It’s like playing Russian roulette with an old bulletproof vest. Two things have to happen: you have to be attacked (the bullet in the correct chamber), and you have to be vulnerable (the vest might not work any more – or you might get hit outside the area protected by the vest).
For larger vendors (Microsoft), there is a distinction between a security update and a general update. You should allow all security updates automatically. Vendors have gotten really good at segregating the security fixes from new features, and so automatically updating security patches is not likely to affect you adversely. General updates fix non-security issues or add new features. For the most part, you’re not going to get any grief from automatically updating these, but from a security standpoint, you don’t need to automatically update the general updates.
Software manufacturers/developers stop supporting software at some point – the End of Life (EOL). This means that no more patches will be available for it if a vulnerability is found. If you’re still running Windows XP or Office 2003, you need to upgrade because Microsoft is killing support for it April 8, 2014. And if you’re frugal, you might be running those old versions to save money – I know I’ve got XP in my Windows VM still. Microsoft has a pretty long lifecycle for their products: over 10 years, but other developers don’t (Adobe is 5 years). Some don’t even bother to tell you they’re not supporting a particular software version any longer.
What If I Don’t Want to Upgrade?
If you don’t want to or can’t upgrade to a supported version for some reason, you’ll want to make sure that you have a firewall that restricts all inbound traffic, an as up-to-date anti-virus as you can get, an up-to-date browser, and preferably a sandboxing tool like Google Chrome or sandboxie. You will be vulnerable to exploits that have not been patched, but a firewall will help protect from network attacks, and anti-virus and sandboxing will help protect from “user error” attacks – ie. clicking on an e-mail attachment.
Additionally, if there’s no reason for this machine to be on your network (ex: it’s for CAD, or an off-line video game), consider just unplugging the network cable or disabling wireless.