top | item 36660353

(no title)

The problem with old OSes not receiving security updates is that they will be vulnerable to new security vulnerabilities. Having a smaller attack surface (like older OSes did) is important for security. But ultimately, older, unpatched OSes are trivial to hack, even using an off-the-shelf toolkit like metasploit; attack surface size be damned.

Also, a reason why there are fewer CVEs for older OSes is that we've gotten better at finding exploits and we care more about security because basically every system is networked now. In addition, people are still hacking older versions of Windows [1], they're just not filing CVEs.

In conclusion, even with the smaller attack surface, it seems silly to claim that a system written without any modern security mitigations (such as ASLR or W^X, which try to make stack overflows not trivially exploitable), suffering under the weight of years of unpatched vulnerabilities, is more secure than a modern system.

[1]: https://jumpespjump.blogspot.com/2014/05/hacking-windows-95-...

discuss

StillBored|2 years ago

There is a big difference between win9x and modern battle hardened OSs that were sitting on the modern internet for a decade. As the parent points out for windows, and its similar for linux, the security exploits are largely in _NEW_ code being rewritten rather than the code which is being tossed, hence the recent huge privilege escalation bug in the linux kernel last week.

So, yes its planned obsolescence particular when random buffer overflow/etc kinds of bugs get found in these older OSs fixing them isn't some huge lift for ms/whoever since most of the time its just a one line fix. And in the cases where the bug exists across multiple versions, its likely because its old untouched code so fixing it in the newer OS also fixes it in the older ones if someone figures out how to `git cherry-pick` or equivilant.

I've said it before and I will say it again, the major OS providers should be on the hook for security fixes for the lifetime of the product its been licensed to run on. That means if I want to play games on a 25 year old computer, i shouldn't have to worry about whether some 10 year old bug means I'm going to be exploited the second someone passes an image over that exploits a bug in the jpg decoder.

1710522266|2 years ago

I don't disagree with any of this :)

The only claim that I'm making is that in today's world, it is more secure to be on a system that's receiving security updates.

userbinator|2 years ago

In addition, people are still hacking older versions of Windows [1], they're just not filing CVEs.

That's because there's little value in doing so, and as that article shows, it's also very difficult to, due to the tiny attack surface. The exploit shown there requires things that people wouldn't normally do (or even find it easy to, due to NATs) even with a newer version --- like exposing a share over the Internet --- and there have already been plenty more exploits found in the file sharing code of newer Windows too.