If I keep all incoming connections blocked, but also all outgoing connections blocked except my browser (no MS/Win service is communicating with anything online), would my attack surface be just the browser? So it wouldn’t matter if Win is not updated?
That’s still the main entry for malware.
how? don’t you need to actually download and run some .exe .bat .cmd .msi etc etc to get some malware?
No. That still works of course, but there are other ways. You wouldn’t believe how much stuff your browser actually executes.
edit: nvm, thanks for the answer.
Believe me, you won’t believe it