[userbinator]

Unsupported operating systems receive no security updates and can be dangerous for you to use.

I see that the paranoia-FUD pushed by the forced-obsolescence corporate-authoritarianism crowd has infected them too.

Looking at how many new vulnerabilities are being found in newer and increasingly complex (often for zero benefit), while at the same time also more user-hostile software, should make you see what they're really trying to do. Software that has been around for a long time has gotten far more bugs beaten out of it than the new stuff, and due to the way the industry is going, it will only get worse.

Fortunately there's a huge and growing community which has forked Firefox and continued making functionally-equivalent versions for older OSs.

As the old saying goes: "There are known knowns, known unknowns, and unknown unknowns."

Look at the truth yourself if you don't (or don't want to) believe:

https://www.cvedetails.com/product/112/Microsoft-Windows-95....

https://www.cvedetails.com/product/343/Microsoft-Windows-98....

https://www.cvedetails.com/product/462/Microsoft-Windows-98s...

https://www.cvedetails.com/product/107/Microsoft-Windows-200...

https://www.cvedetails.com/product/739/Microsoft-Windows-Xp....

https://www.cvedetails.com/product/9591/Microsoft-Windows-Vi...

You can find the stats for (all the different versions of) Windows 10 and 11, and combine the yourself.

[1710522266]

The problem with old OSes not receiving security updates is that they will be vulnerable to new security vulnerabilities. Having a smaller attack surface (like older OSes did) is important for security. But ultimately, older, unpatched OSes are trivial to hack, even using an off-the-shelf toolkit like metasploit; attack surface size be damned.

Also, a reason why there are fewer CVEs for older OSes is that we've gotten better at finding exploits and we care more about security because basically every system is networked now. In addition, people are still hacking older versions of Windows [1], they're just not filing CVEs.

In conclusion, even with the smaller attack surface, it seems silly to claim that a system written without any modern security mitigations (such as ASLR or W^X, which try to make stack overflows not trivially exploitable), suffering under the weight of years of unpatched vulnerabilities, is more secure than a modern system.

[1]: https://jumpespjump.blogspot.com/2014/05/hacking-windows-95-...

[StillBored]

There is a big difference between win9x and modern battle hardened OSs that were sitting on the modern internet for a decade. As the parent points out for windows, and its similar for linux, the security exploits are largely in _NEW_ code being rewritten rather than the code which is being tossed, hence the recent huge privilege escalation bug in the linux kernel last week.

So, yes its planned obsolescence particular when random buffer overflow/etc kinds of bugs get found in these older OSs fixing them isn't some huge lift for ms/whoever since most of the time its just a one line fix. And in the cases where the bug exists across multiple versions, its likely because its old untouched code so fixing it in the newer OS also fixes it in the older ones if someone figures out how to `git cherry-pick` or equivilant.

I've said it before and I will say it again, the major OS providers should be on the hook for security fixes for the lifetime of the product its been licensed to run on. That means if I want to play games on a 25 year old computer, i shouldn't have to worry about whether some 10 year old bug means I'm going to be exploited the second someone passes an image over that exploits a bug in the jpg decoder.

[1710522266]

I don't disagree with any of this :)

The only claim that I'm making is that in today's world, it is more secure to be on a system that's receiving security updates.

[userbinator]

In addition, people are still hacking older versions of Windows [1], they're just not filing CVEs.

That's because there's little value in doing so, and as that article shows, it's also very difficult to, due to the tiny attack surface. The exploit shown there requires things that people wouldn't normally do (or even find it easy to, due to NATs) even with a newer version --- like exposing a share over the Internet --- and there have already been plenty more exploits found in the file sharing code of newer Windows too.

[tredre3]

I agree that the "BUT WHAT ABOUT UPDATES?!" hysteria is weird [1].

But realistically Windows 7 has a very small user base remaining, and an even smaller part of that uses Firefox. So what do you want Mozilla to do? Keep wasting resources on CI, testing, coding shims for missing OS features, and making releases for the benefit of the 12 people worldwide who depend on the W7+Firefox combination?

1. https://knowyourmeme.com/photos/2202720-coomer

[userbinator]

The hysteria is of course propagated by those who stand the most to benefit from it.

Keep wasting resources on CI, testing, coding shims for missing OS features, and making releases for the benefit of the 12 people worldwide who depend on the W7+Firefox combination?

There's no need to target specific OS versions. Yes, MS has added new APIs, but the old ones are still there and function perfectly fine; and chances are that the users on W7 are not going to care about any new features anyway, so if Firefox doesn't have the same features when running on W7 vs. a newer version, it doesn't matter.

I have written apps that will run on anything from Win95 to 11. A minimalist web browser happens to be something I've been working on too.

Microsoft's backwards compatibility its is greatest advantage, but only if you take advantage of it.

[StillBored]

I'm to lazy to dig them up, but yes, if you look at the python change they applied to break win7, or the firefox change required to break winXP they both were like 20 lines of code that largely had sat untouched for years and provided some api shimming.

So it actually takes effort to remove support for these OSs, and generally its better to just let them decay if the project can't be bothered to keep a CI machine running than give your users the middle finger.

So, yah, they deserve the ire people direct at them.

[CatWChainsaw]

Heh. My father is one of those 12. He called me yesterday and mentioned he was going to be trying out some Linux stuff.

[nsajko]

Who's forking Windows 7, though?