66

Windows 7 support will end on January 14, 2020. Assuming that after that day I still use an updated browser, is it true that I'm still safe? Can it "patch" the OS-based security holes?

Minor question: typically, how long would the browsers stop supporting abandoned OS? Is there any number on this?


Related: Why should browser security be prioritized?
FYI: Attack surface - Wikipedia

Ooker
  • 1,539
  • 1
  • 12
  • 17
  • 12
    Why not just install Windows 10? It's a pain, but you can disable the privacy-violating "telemetry" features and change the desktop to look more like that of 7. Windows 10 has significantly superior security anyways. – forest Apr 10 '19 at 03:00
  • thanks. My machine is quite old. I stick to Windows 7 just for the low requirements on hardware – Ooker Apr 10 '19 at 04:15
  • 26
    Perhaps you should consider switching to a popular Linux distribution like Ubuntu then. It's secure, privacy-friendly, and works very well on a wide-variety of hardware (even old hardware). – forest Apr 10 '19 at 04:31
  • 10
    unfortunately, I need Windows programs (AutoHotKey, ShareX, ManicTime). Libre Office can replace MS Office, but it's buggy for large files – Ooker Apr 10 '19 at 04:52
  • 7
    Wine works for many programs, and there are good (sometimes superior) alternatives to many Windows-native programs that are incompatible with Wine. I suppose you'll have to decide whether or not it's important enough for you to buy a new computer (and continue to do so every few years). – forest Apr 10 '19 at 05:07
  • 11
    in fact windows 10 should often be smoother on the same specs compared to Windows 7 because of several improvements like user-space font rendering (which means less context switches → lower Meltdown impact), compressed memory (like zram on Linux) which significantly enhances responsiveness on systems with low memory – phuclv Apr 10 '19 at 16:12
  • 2
    Honestly, I completely understand staying on Windows for ShareX, it's amazing software – anna328p Apr 10 '19 at 23:05
  • 1
    @DmitryKudriavtsev https://github.com/Francesco149/sharenix – forest Apr 11 '19 at 05:50
  • 1
    @forest I've looked at it. It doesn't have screen region selection. I eventually ended up writing my own script https://github.com/dkudriavtsev/scre – anna328p Apr 11 '19 at 06:08
  • @DmitryKudriavtsev I use my own script as well, I just saw that in a search. – forest Apr 11 '19 at 06:11
  • 7
    A reliable source tells me that it is difficult to remove all the privacy intrusions of Windows 10. Are you saying it is easy and that you are 100% sure you can remove all of them? If so, I'd like to hear your methods. – user21820 Apr 11 '19 at 06:58
  • 1
    @user21820 format the disk :). OK, seriously, but I backup to the cloud regularly, and my files are not really private. My concern so far is that they can access to my social network profiles and asking my friends money... – Ooker Apr 11 '19 at 08:56
  • Sorry, I intended to ask @forest but left out the ping. – user21820 Apr 11 '19 at 09:41
  • @user21820 I heard that there are some modified installations (distros) that are cleaned. You can try them – Ooker Apr 11 '19 at 10:12
  • @Ooker: Well the problem is, if I am not good enough to identify the privacy intrusions, neither will I be good enough to verify any modified installation as cleaned. And I prefer to do it myself anyway haha.. I'll wait for forest's reply. – user21820 Apr 11 '19 at 12:42
  • 3
    Note that "still safe" seems to assume you're safe right now, which is not necessarily the case, depending on what's on your current system, how you use it, and what you mean by "safe". At the very least, using Windows 7 right now is in some ways less safe than using Windows 10, all other things being equal. – Todd Wilcox Apr 11 '19 at 15:34
  • @user21820 I don't know of any specific methods because I don't use Windows. I recall hearing that there's a regularly-updated script/program on GitHub which supposedly disables the problematic services. – forest Apr 12 '19 at 05:46
  • 1
    Consider installing some *recent* Linux distribution on your old PC. More [reasons](https://www.forbes.com/sites/jasonevangelho/2018/07/23/5-reasons-you-should-switch-from-windows-to-linux-right-now/) to do that are widely documented. – Basile Starynkevitch Apr 12 '19 at 07:36

4 Answers4

79

Do not use an outdated OS, even with a modern browser.

Assuming that after that day I still use an updated browser, is it true that I'm still safe?

No, you cannot avoid browser-based security holes only by updating the browser. There are a few reasons for this. Primarily, the browser is not entirely self-contained. It makes use of operating system libraries, for example the system memory allocator. This allocator is designed to mitigate various memory corruption-related security issues. If the allocator is not kept up to date, memory exploitation bugs may be easier to perform against the browser, no matter how up to date the browser is.

Another reason is that browser security often relies on OS sandboxing features. A powerful browser exploit must be combined with a so-called sandbox escape. How easy that escape is depends on how secure the operating system is as well as how secure the browser is. By using an outdated operating system, your browser is being protected by out of date and potentially vulnerable security features.

Can it "patch" the OS-based security holes?

No. Patching operating system vulnerabilities requires elevated privileges, which a browser does not have. Even if it did, browsers are not designed to modify system settings or system files. There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS.

Minor question: typically, how long would the browsers stop supporting abandoned OS?

Browser vendors typically publish when they will stop officially supporting a particular operating system. After that point, changes made to the browser that break on older systems will no longer be considered bugs and may not be fixed. Programs typically continue running on older systems for a very long time, however. They only stop working when they begin to rely on newer system APIs that aren't present in older versions. This is relatively rare. A browser should be able to run on an outdated operating system for many years, albeit not very securely, and without official support from the vendor. Most likely, as it begins to rely on newer and newer APIs, features in the browser will just start breaking one by one (especially security-related features) until it eventually does not start up at all.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 14
    Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place. – DreamConspiracy Apr 10 '19 at 08:03
  • 6
    In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS. – Roger Lipscombe Apr 10 '19 at 10:28
  • @DreamConspiracy can you elaborate? – Ooker Apr 10 '19 at 11:17
  • 6
    @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors). – James_pic Apr 10 '19 at 11:51
  • 8
    @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else? – Voo Apr 10 '19 at 15:00
  • 1
    @Ooker what the other two said – DreamConspiracy Apr 10 '19 at 17:59
  • 6
    Browsers stop supporting abandoned OS' _long_ before they actually stop working. Chrome [Supports Windows 7](https://support.google.com/chrome/a/answer/7100626?), IE [Supports Windows 8.1](https://support.microsoft.com/en-us/help/11531/internet-explorer-system-requirements), and Firefox [Supports Windows 7](https://www.mozilla.org/en-US/firefox/62.0/system-requirements/) – Mooing Duck Apr 10 '19 at 19:34
  • @RogerLipscombe I don't think the browser uses any OS implementation of TLS. I don't know about Edge/IE, but Firefox and Chrome/Chromium use NSS, which is bundled with the browser. – forest Apr 11 '19 at 04:45
  • @Voo It's not only state malware that's done that. I've pwned boxes and patched the vulnerabilities I used to get in before (though half the time there are already several other shells that beat me to it lol). – forest Apr 11 '19 at 04:46
  • @forest Yes that's my point :) – Voo Apr 11 '19 at 11:38
  • @DreamConspiracy I like your thinking! – Felipe Warrener-Iglesias Apr 11 '19 at 15:10
  • 1
    How should one go about using hardware whose drivers are no longer being maintained and which only work on older systems? I would think it should be possible to create an application on an older system which behaves as a remote-desktop client, along with a firewall that swallows all packets not associated with that app. If that app is secure, and one uses it to run most apps on a securely up-to-date system, I'm not sure what security vulnerabilities would remain. – supercat Apr 11 '19 at 20:27
  • @supercat I'm not sure about Windows, but for Linux, even ancient drivers are maintained for a very long time. It's pretty rare to have a machine that still works but which requires drivers that are no longer supported at all. That kind of thing tends to happen when you go back so far that you're using an ISA bus... – forest Apr 12 '19 at 05:41
  • 1
    Oh, I did upvote your answer yesterday. Guess I was too sleepy. Nice editing. I'll delete my previous messages as they are now obsolete. As reference for future readers: [Firefox ended support for Windows XP and Vista](https://support.mozilla.org/en-US/kb/end-support-windows-xp-and-vista) in June 2018([`¹`](https://windowsreport.com/firefox-support-windows-xp-vista/),[`²`](https://archive.mozilla.org/pub/firefox/releases/52.9.0esr/)), and [Chrome did in April 2016](https://arstechnica.com/gadgets/2015/11/chrome-to-end-support-for-windows-xp-vista-and-os-x-10-8-on-april-2016/). – Marc.2377 Apr 12 '19 at 18:46
  • @forest: Windows has changed enough details about how drivers work that something like the USB interface for a Lego(R) brand motor controller is not usable on any currently-supported version of Windows. I've searched for information about how to use it and the basic conclusion was that it's not possible except by using an older version of Windows. – supercat Apr 15 '19 at 15:11
13

One benefit of the newer operating systems, like Windows 10 over Windows 7, is that they have more advanced features built in to the operating system to protect against entire classes of vulnerabilities.

There have actually been examples of web browsers being more secure on Windows 10 than Windows 7 even though Windows 7 is still supported! See for example this Google security vulnerability disclosure.

There was a vulnerability in Chrome, but Google's researchers believe that it was only exploitable in Windows 7 due to an additional vulnerability in that version of Windows. The additional protections in Windows 10 protected the system despite the browser vulnerability.

To answer your question about how long the browser will support legacy operating systems: Firefox for example supported Windows XP and Windows Vista until June 2018, which was well after the end of support dates for those operating systems (2014 and 2017 respectively). In their announcement, they claim to have ended support because the operating systems had known exploits which made it difficult to maintain Firefox.

Chrome supported Windows XP and Vista until version 50, which came out in April 2016 (they stopped supporting Vista before Microsoft did!)

kepstin
  • 131
  • 2
6

Oh goodie a surface area question.

The surface area of attacks against the OS via the browser varies wildly with the browser. With Internet Explorer, the surface area is vast. On the other hand, Firefox mostly uses its own decoders for everything, crushing the surface area down to only a few pieces. In any case, the TCP stack, DNS, and the font rendering engine remain attack targets. It is unwise to assume the attacker will not select a vulnerability that will actually work, and I see GDI+ remote code execution vulnerabilities every few months almost like clockwork.

Don't do it man. At least not on Windows. On Linux we can do exotic things that make shellcode not work that would at least make the attacker have to target you specifically. But if you haven't done them don't do it on Linux either.

Joshua
  • 1,090
  • 7
  • 11
  • why can we make shellcode not working on Linux but not on Windows? – Ooker Apr 11 '19 at 01:24
  • 2
    @Ooker: We can prevent `execve()` from working by `ptrace()` or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything. – Joshua Apr 11 '19 at 01:57
  • 1
    @Joshua Shellcode from a browser exploit doesn't need to use `execve()`. And I guess you _could_ change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call. – forest Apr 11 '19 at 06:13
2

Answer:

Browsers are a big surface-area for security flaws and are a common source of bugs and weaknesses. While 'up-to-date' and 'secure' are not the same thing at all, having a robust browser will lower your exposure significantly, and in general newer (at the very least) means there will be fewer exploits 'in use' that will effect you. So yes this helps, and if it's the only way in to you system and if it behaves itself, then the OS only needs to behave in a sane way to prevent you from being exposed (sane in a way all likely OSs are).

However:

  • Browsers are not the only source of security issues. There is nothing it can do to protect you from anything other than itself and in a compromised system the browser could be too.

  • OS level protections while not as good as not-having-the-bug-in-the-first-place and limit the damage of a bug.

Hence:

  • What you use the machine for and what services it has running etc will significantly effect the other risks and hence the answer to your question. If there are lots of other risky targets open and listening, how good your browser is might not be very relevant at all.

Advice:

The accepted wisdom (in these parts) and the advice people line up to give is:

"More security is more better, and more newer is more security.", which in this case translates to "Update your OS too".

Both are reasonable in my opinion and I wouldn't council against updating. But:

  • It's not a silver bullet: no-one is ever 100% safe.
  • There is potentially a trade-off against other things like convenience (which are often wrongly overlooked).
  • There's always a slim possibility updating leads to you using Windows-10, and nobody wants that...
ANone
  • 230
  • 1
  • 4
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/92458/discussion-on-answer-by-anone-is-an-up-to-date-browser-secure-on-an-out-of-date). – Rory Alsop Apr 15 '19 at 10:51