0

As it is well known, the extended support of Windows 7 (Service Pack 1) ends on January 14, 2020. Due to the short time that remains, I raise this question.

What consequences could an outdated operating system without continued updates have?

Taking into account that:

  • Updated antivirus.

  • Firewall installed, updated and configured the rules for applications that are allowed to connect to the internet. In addition to this and as additional protection, having the file control of the firewall active (it warns against a change in key registry keys, connection to the network, use of the keyboard, etc).

  • Standard account for daily use. The administrator account, only to make installations and important modifications in the system.

  • Updated applications.

Even if I do not have the system updated and having all of this configured, what problems could it bring me?

Johnny
  • 1,051
  • 5
  • 19
MarianoM
  • 125
  • 6
  • "Updated antivirus" is specifically discussed in "[Replacing Windows 7 security updates with anti-virus?](https://security.stackexchange.com/questions/205193/replacing-windows-7-security-updates-with-anti-virus)". Basically: Everything is bad, if you do this, because (system) security updates are the baseline defense/security. So [switching to a different OS like Linux](https://computefreely.org/) is really possible nowadays, even for gamers, and there you will always have updates & upgrades. – rugk Mar 13 '19 at 12:03

2 Answers2

3

Even if I do not have the system updated and having all of this configured, what problems could it bring me in the event that one is presented?

Lots of applications use the OS libraries and functions for doing mundane tasks, such as showing videos or pictures, or drawing a UI. A vulnerability in one of those libraries may affect your browser, even though the browser is fully updated.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • 3
    Even something as mundane as loading a font from a website ... CVE-2013-3181 comes to mind. https://nvd.nist.gov/vuln/detail/CVE-2013-3181 – Joseph Kern Nov 11 '18 at 18:26
  • @JosephKern What a good page! I did not know that there was haha What pages do you recommend visiting often to keep me informed of vulnerabilities? Do you have some reliable sources that you can share with me? – MarianoM Nov 12 '18 at 07:00
  • Well right now keeping up on security patches is a bit of a full time job ... you can start with: 1. MS Security Blogs: https://blogs.technet.microsoft.com/msrc/ 2. Then there's the CVE Database: https://cve.mitre.org/ 3. Bugtraq Mailing list: https://www.securityfocus.com/archive/1 These are ordered from least to most technical knowledge and least to most general as a consequence. – Joseph Kern Nov 12 '18 at 07:53
1

A few quick ones off the top of my head:

  • Assuming the OS goes out of security support, vulnerabilities in the OS may be left unpatched. This may lead to you getting popped through services that you normally use (e.g. SMB for file sharing) or via filetypes that seem benign.
  • You won't benefit from any new anti-exploitation protections in newer versions of Windows. There was a big push for this in Windows 8.1, and in newer releases of Windows 10 Microsoft rolled many of EMET's protection features into the kernel.
  • If you're using BitLocker for FDE with a TPM, you won't have TPM 2.0 support. You may also be vulnerable to security issues with BitLocker, such as the recent one with SSD encryption.
  • Updated drivers may not be compatible with Windows 7, so you may get legacy drivers that are missing security patches.
  • Windows 7 defaults to less-secure default security policies than Windows 10 - for example, the policy to harden the default DACLs on system objects is disabled by default on Win7 and enabled by default on Win10.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I understand that the outdated system is more vulnerable (in addition to that we will always have some vulnerability, even without knowing it), but in any case, with updated programs like the Firewall it has, including file control, if a vulnerability tries to be exploited by an attacker; I suppose the firewall would inform me that it is trying to execute a program that is not registered in the rules (as I had configured it); I suppose that would be enough to avoid the attack and analyze where it comes from to block it and avoid it. I'm wrong? – MarianoM Nov 12 '18 at 07:08
  • @MarianoM Not necessarily. The firewall wouldn't alert you to the launch of any application, it just alerts you to outbound traffic from that application, assuming it can actually tell that the application is generating traffic. It could easily inject a DLL into a trusted process and generate traffic from there, and your firewall would allow it. – Polynomial Nov 12 '18 at 11:59
  • It seems that you have not yet tried COMODO Firewall. This Firewall, in addition to having Firewall protection, has Defense +, which allows you to configure HIPS rules manually (Host-based Intrusion Prevention System). Even, making tests, I managed to configure to alert me when accessing a certain folder and / or deny access from the same Firewall. – MarianoM Nov 12 '18 at 12:19
  • What I mean is, assuming that the software has a backdoor, blocking the internet connection for the software should already be sufficient?. It is not a malware either, it has a lot of clients and in addition, I often have contact with the creator. – MarianoM Nov 12 '18 at 12:21
  • @MarianoM That's not a firewall then, it's a HIDS. Since you didn't mention a HIDS in your post, I didn't reply in the context of you running one. But ultimately this comes down to one thing - you're burning a *lot* of effort (and probably cost) on trying to harden Win7 instead of just upgrading to Win10. At some point you're going to be so far into sunk costs that you'll either never upgrade (and those costs will spiral - trust me, I've seen it) or you'll scrape your way to a Win10 upgrade by the time two new OSes are out, and you'll be right back at square one. – Polynomial Nov 12 '18 at 12:29
  • @MarianoM The ATM industry (at least here) does this every 5 years or so. They paid Microsoft tens of millions in support contracts on XP, finally upgraded to a mix of Vista and Win7, got screwed by Vista, hastily upgraded to Win7 (at huge operational cost - it was a big job), by which point Win8 was out. And as usual they sat on Win7 thinking everything would be fine, and now they're back in the same situation with spiralling costs of doing a Win10 upgrade. Of course by the time they get round to it they'll only have a few years before EOL again. Don't get stuck in that cycle. – Polynomial Nov 12 '18 at 12:33
  • I understand perfectly what you say, and you have made me aware because I like to have the computer too personalized and well configured so as not to lose time with obstacles along the way. However, I think that when it comes to customize it, this happens too, an update comes out and changes everything. I'll have to see if my computer does not slow down with Win10 and if I can buy the license or go to Linux.I do not want to distort more because that's what the chat is for, so the conclusion is: update even if I can somehow keep the equipment protected. Thank you! Greetings from Argentina. – MarianoM Nov 12 '18 at 12:59