|
|
|
|
|
|
by 1710522266
1072 days ago
|
|
|
The problem with old OSes not receiving security updates is that they will be vulnerable to new security vulnerabilities. Having a smaller attack surface (like older OSes did) is important for security. But ultimately, older, unpatched OSes are trivial to hack, even using an off-the-shelf toolkit like metasploit; attack surface size be damned. Also, a reason why there are fewer CVEs for older OSes is that we've gotten better at finding exploits and we care more about security because basically every system is networked now. In addition, people are still hacking older versions of Windows [1], they're just not filing CVEs. In conclusion, even with the smaller attack surface, it seems silly to claim that a system written without any modern security mitigations (such as ASLR or W^X, which try to make stack overflows not trivially exploitable), suffering under the weight of years of unpatched vulnerabilities, is more secure than a modern system. [1]: https://jumpespjump.blogspot.com/2014/05/hacking-windows-95-... |
|
|
So, yes its planned obsolescence particular when random buffer overflow/etc kinds of bugs get found in these older OSs fixing them isn't some huge lift for ms/whoever since most of the time its just a one line fix. And in the cases where the bug exists across multiple versions, its likely because its old untouched code so fixing it in the newer OS also fixes it in the older ones if someone figures out how to `git cherry-pick` or equivilant.
I've said it before and I will say it again, the major OS providers should be on the hook for security fixes for the lifetime of the product its been licensed to run on. That means if I want to play games on a 25 year old computer, i shouldn't have to worry about whether some 10 year old bug means I'm going to be exploited the second someone passes an image over that exploits a bug in the jpg decoder.