Is an up-to-date browser secure on an out-of-date OS? The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Why should browser security be prioritized?What are some examples of viruses/exploits with benevolent purposes?Is Google Chrome a more secure browser?If someone steals my laptop while I'm logged in, how can I protect my browser?Secure information exchange between web applications using browser redirectionSecure browser storageWhat is the most secure operating system out there?HTTPS icon red and crossed out - Chrome browserIs browser side encryption realistically secure?Chrome + EMET= How Strong Realistic Protection Against Browser-Based Threats?How secure is “Browser in the Box”?Risk of infecting the host OS if the guest OS is out of date

Hiding Certain Lines on Table

Mortgage adviser recommends a longer term than necessary combined with overpayments

Did the new image of black hole confirm the general theory of relativity?

Four Colour Theorem

How to copy the contents of all files with a certain name into a new file?

Is every episode of "Where are my Pants?" identical?

How are presidential pardons supposed to be used?

What force causes entropy to increase?

Is this wall load bearing? Blueprints and photos attached

Was credit for the black hole image misattributed?

Why can't wing-mounted spoilers be used to steepen approaches?

Is above average number of years spent on PhD considered a red flag in future academia or industry positions?

Why is superheterodyning better than direct conversion?

Am I ethically obligated to go into work on an off day if the reason is sudden?

Cooking pasta in a water boiler

Simulating Exploding Dice

How many people can fit inside Mordenkainen's Magnificent Mansion?

How do I add random spotting to the same face in cycles?

How to split my screen on my Macbook Air?

How long does the line of fire that you can create as an action using the Investiture of Flame spell last?

Is there a writing software that you can sort scenes like slides in PowerPoint?

Why is the object placed in the middle of the sentence here?

Would an alien lifeform be able to achieve space travel if lacking in vision?

Does Parliament need to approve the new Brexit delay to 31 October 2019?



Is an up-to-date browser secure on an out-of-date OS?



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Why should browser security be prioritized?What are some examples of viruses/exploits with benevolent purposes?Is Google Chrome a more secure browser?If someone steals my laptop while I'm logged in, how can I protect my browser?Secure information exchange between web applications using browser redirectionSecure browser storageWhat is the most secure operating system out there?HTTPS icon red and crossed out - Chrome browserIs browser side encryption realistically secure?Chrome + EMET= How Strong Realistic Protection Against Browser-Based Threats?How secure is “Browser in the Box”?Risk of infecting the host OS if the guest OS is out of date



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








62















Windows 7 support will end on January 14, 2020. Assuming that after that day I still use an updated browser, is it true that I'm still safe? Can it "patch" the OS-based security holes?



Minor question: typically, how long would the browsers stop supporting abandoned OS? Is there any number on this?






Related: Why should browser security be prioritized?

FYI: Attack surface - Wikipedia










share|improve this question



















  • 12





    Why not just install Windows 10? It's a pain, but you can disable the privacy-violating "telemetry" features and change the desktop to look more like that of 7. Windows 10 has significantly superior security anyways.

    – forest
    Apr 10 at 3:00







  • 26





    Perhaps you should consider switching to a popular Linux distribution like Ubuntu then. It's secure, privacy-friendly, and works very well on a wide-variety of hardware (even old hardware).

    – forest
    Apr 10 at 4:31







  • 10





    unfortunately, I need Windows programs (AutoHotKey, ShareX, ManicTime). Libre Office can replace MS Office, but it's buggy for large files

    – Ooker
    Apr 10 at 4:52






  • 7





    Wine works for many programs, and there are good (sometimes superior) alternatives to many Windows-native programs that are incompatible with Wine. I suppose you'll have to decide whether or not it's important enough for you to buy a new computer (and continue to do so every few years).

    – forest
    Apr 10 at 5:07






  • 11





    in fact windows 10 should often be smoother on the same specs compared to Windows 7 because of several improvements like user-space font rendering (which means less context switches → lower Meltdown impact), compressed memory (like zram on Linux) which significantly enhances responsiveness on systems with low memory

    – phuclv
    Apr 10 at 16:12

















62















Windows 7 support will end on January 14, 2020. Assuming that after that day I still use an updated browser, is it true that I'm still safe? Can it "patch" the OS-based security holes?



Minor question: typically, how long would the browsers stop supporting abandoned OS? Is there any number on this?






Related: Why should browser security be prioritized?

FYI: Attack surface - Wikipedia










share|improve this question



















  • 12





    Why not just install Windows 10? It's a pain, but you can disable the privacy-violating "telemetry" features and change the desktop to look more like that of 7. Windows 10 has significantly superior security anyways.

    – forest
    Apr 10 at 3:00







  • 26





    Perhaps you should consider switching to a popular Linux distribution like Ubuntu then. It's secure, privacy-friendly, and works very well on a wide-variety of hardware (even old hardware).

    – forest
    Apr 10 at 4:31







  • 10





    unfortunately, I need Windows programs (AutoHotKey, ShareX, ManicTime). Libre Office can replace MS Office, but it's buggy for large files

    – Ooker
    Apr 10 at 4:52






  • 7





    Wine works for many programs, and there are good (sometimes superior) alternatives to many Windows-native programs that are incompatible with Wine. I suppose you'll have to decide whether or not it's important enough for you to buy a new computer (and continue to do so every few years).

    – forest
    Apr 10 at 5:07






  • 11





    in fact windows 10 should often be smoother on the same specs compared to Windows 7 because of several improvements like user-space font rendering (which means less context switches → lower Meltdown impact), compressed memory (like zram on Linux) which significantly enhances responsiveness on systems with low memory

    – phuclv
    Apr 10 at 16:12













62












62








62


9






Windows 7 support will end on January 14, 2020. Assuming that after that day I still use an updated browser, is it true that I'm still safe? Can it "patch" the OS-based security holes?



Minor question: typically, how long would the browsers stop supporting abandoned OS? Is there any number on this?






Related: Why should browser security be prioritized?

FYI: Attack surface - Wikipedia










share|improve this question
















Windows 7 support will end on January 14, 2020. Assuming that after that day I still use an updated browser, is it true that I'm still safe? Can it "patch" the OS-based security holes?



Minor question: typically, how long would the browsers stop supporting abandoned OS? Is there any number on this?






Related: Why should browser security be prioritized?

FYI: Attack surface - Wikipedia







web-browser appsec operating-systems attack-vector windows-7






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 11 at 1:22







Ooker

















asked Apr 10 at 2:17









OokerOoker

8891913




8891913







  • 12





    Why not just install Windows 10? It's a pain, but you can disable the privacy-violating "telemetry" features and change the desktop to look more like that of 7. Windows 10 has significantly superior security anyways.

    – forest
    Apr 10 at 3:00







  • 26





    Perhaps you should consider switching to a popular Linux distribution like Ubuntu then. It's secure, privacy-friendly, and works very well on a wide-variety of hardware (even old hardware).

    – forest
    Apr 10 at 4:31







  • 10





    unfortunately, I need Windows programs (AutoHotKey, ShareX, ManicTime). Libre Office can replace MS Office, but it's buggy for large files

    – Ooker
    Apr 10 at 4:52






  • 7





    Wine works for many programs, and there are good (sometimes superior) alternatives to many Windows-native programs that are incompatible with Wine. I suppose you'll have to decide whether or not it's important enough for you to buy a new computer (and continue to do so every few years).

    – forest
    Apr 10 at 5:07






  • 11





    in fact windows 10 should often be smoother on the same specs compared to Windows 7 because of several improvements like user-space font rendering (which means less context switches → lower Meltdown impact), compressed memory (like zram on Linux) which significantly enhances responsiveness on systems with low memory

    – phuclv
    Apr 10 at 16:12












  • 12





    Why not just install Windows 10? It's a pain, but you can disable the privacy-violating "telemetry" features and change the desktop to look more like that of 7. Windows 10 has significantly superior security anyways.

    – forest
    Apr 10 at 3:00







  • 26





    Perhaps you should consider switching to a popular Linux distribution like Ubuntu then. It's secure, privacy-friendly, and works very well on a wide-variety of hardware (even old hardware).

    – forest
    Apr 10 at 4:31







  • 10





    unfortunately, I need Windows programs (AutoHotKey, ShareX, ManicTime). Libre Office can replace MS Office, but it's buggy for large files

    – Ooker
    Apr 10 at 4:52






  • 7





    Wine works for many programs, and there are good (sometimes superior) alternatives to many Windows-native programs that are incompatible with Wine. I suppose you'll have to decide whether or not it's important enough for you to buy a new computer (and continue to do so every few years).

    – forest
    Apr 10 at 5:07






  • 11





    in fact windows 10 should often be smoother on the same specs compared to Windows 7 because of several improvements like user-space font rendering (which means less context switches → lower Meltdown impact), compressed memory (like zram on Linux) which significantly enhances responsiveness on systems with low memory

    – phuclv
    Apr 10 at 16:12







12




12





Why not just install Windows 10? It's a pain, but you can disable the privacy-violating "telemetry" features and change the desktop to look more like that of 7. Windows 10 has significantly superior security anyways.

– forest
Apr 10 at 3:00






Why not just install Windows 10? It's a pain, but you can disable the privacy-violating "telemetry" features and change the desktop to look more like that of 7. Windows 10 has significantly superior security anyways.

– forest
Apr 10 at 3:00





26




26





Perhaps you should consider switching to a popular Linux distribution like Ubuntu then. It's secure, privacy-friendly, and works very well on a wide-variety of hardware (even old hardware).

– forest
Apr 10 at 4:31






Perhaps you should consider switching to a popular Linux distribution like Ubuntu then. It's secure, privacy-friendly, and works very well on a wide-variety of hardware (even old hardware).

– forest
Apr 10 at 4:31





10




10





unfortunately, I need Windows programs (AutoHotKey, ShareX, ManicTime). Libre Office can replace MS Office, but it's buggy for large files

– Ooker
Apr 10 at 4:52





unfortunately, I need Windows programs (AutoHotKey, ShareX, ManicTime). Libre Office can replace MS Office, but it's buggy for large files

– Ooker
Apr 10 at 4:52




7




7





Wine works for many programs, and there are good (sometimes superior) alternatives to many Windows-native programs that are incompatible with Wine. I suppose you'll have to decide whether or not it's important enough for you to buy a new computer (and continue to do so every few years).

– forest
Apr 10 at 5:07





Wine works for many programs, and there are good (sometimes superior) alternatives to many Windows-native programs that are incompatible with Wine. I suppose you'll have to decide whether or not it's important enough for you to buy a new computer (and continue to do so every few years).

– forest
Apr 10 at 5:07




11




11





in fact windows 10 should often be smoother on the same specs compared to Windows 7 because of several improvements like user-space font rendering (which means less context switches → lower Meltdown impact), compressed memory (like zram on Linux) which significantly enhances responsiveness on systems with low memory

– phuclv
Apr 10 at 16:12





in fact windows 10 should often be smoother on the same specs compared to Windows 7 because of several improvements like user-space font rendering (which means less context switches → lower Meltdown impact), compressed memory (like zram on Linux) which significantly enhances responsiveness on systems with low memory

– phuclv
Apr 10 at 16:12










4 Answers
4






active

oldest

votes


















78














Do not use an outdated OS, even with a modern browser.




Assuming that after that day I still use an updated browser, is it true that I'm still safe?




No, you cannot avoid browser-based security holes only by updating the browser. There are a few reasons for this. Primarily, the browser is not entirely self-contained. It makes use of operating system libraries, for example the system memory allocator. This allocator is designed to mitigate various memory corruption-related security issues. If the allocator is not kept up to date, memory exploitation bugs may be easier to perform against the browser, no matter how up to date the browser is.



Another reason is that browser security often relies on OS sandboxing features. A powerful browser exploit must be combined with a so-called sandbox escape. How easy that escape is depends on how secure the operating system is as well as how secure the browser is. By using an outdated operating system, your browser is being protected by out of date and potentially vulnerable security features.




Can it "patch" the OS-based security holes?




No. Patching operating system vulnerabilities requires elevated privileges, which a browser does not have. Even if it did, browsers are not designed to modify system settings or system files. There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS.




Minor question: typically, how long would the browsers stop supporting abandoned OS?




Browser vendors typically publish when they will stop officially supporting a particular operating system. After that point, changes made to the browser that break on older systems will no longer be considered bugs and may not be fixed. Programs typically continue running on older systems for a very long time, however. They only stop working when they begin to rely on newer system APIs that aren't present in older versions. This is relatively rare. A browser should be able to run on an outdated operating system for many years, albeit not very securely, and without official support from the vendor. Most likely, as it begins to rely on newer and newer APIs, features in the browser will just start breaking one by one (especially security-related features) until it eventually does not start up at all.






share|improve this answer




















  • 14





    Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place.

    – DreamConspiracy
    Apr 10 at 8:03






  • 5





    In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS.

    – Roger Lipscombe
    Apr 10 at 10:28






  • 6





    @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors).

    – James_pic
    Apr 10 at 11:51






  • 8





    @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else?

    – Voo
    Apr 10 at 15:00






  • 6





    Browsers stop supporting abandoned OS' long before they actually stop working. Chrome Supports Windows 7, IE Supports Windows 8.1, and Firefox Supports Windows 7

    – Mooing Duck
    Apr 10 at 19:34


















12














One benefit of the newer operating systems, like Windows 10 over Windows 7, is that they have more advanced features built in to the operating system to protect against entire classes of vulnerabilities.



There have actually been examples of web browsers being more secure on Windows 10 than Windows 7 even though Windows 7 is still supported! See for example this Google security vulnerability disclosure.



There was a vulnerability in Chrome, but Google's researchers believe that it was only exploitable in Windows 7 due to an additional vulnerability in that version of Windows. The additional protections in Windows 10 protected the system despite the browser vulnerability.



To answer your question about how long the browser will support legacy operating systems: Firefox for example supported Windows XP and Windows Vista until June 2018, which was well after the end of support dates for those operating systems (2014 and 2017 respectively). In their announcement, they claim to have ended support because the operating systems had known exploits which made it difficult to maintain Firefox.



Chrome supported Windows XP and Vista until version 50, which came out in April 2016 (they stopped supporting Vista before Microsoft did!)






share|improve this answer








New contributor




kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    7














    Oh goodie a surface area question.



    The surface area of attacks against the OS via the browser varies wildly with the browser. With Internet Explorer, the surface area is vast. On the other hand, Firefox mostly uses its own decoders for everything, crushing the surface area down to only a few pieces. In any case, the TCP stack, DNS, and the font rendering engine remain attack targets. It is unwise to assume the attacker will not select a vulnerability that will actually work, and I see GDI+ remote code execution vulnerabilities every few months almost like clockwork.



    Don't do it man. At least not on Windows. On Linux we can do exotic things that make shellcode not work that would at least make the attacker have to target you specifically. But if you haven't done them don't do it on Linux either.






    share|improve this answer























    • why can we make shellcode not working on Linux but not on Windows?

      – Ooker
      Apr 11 at 1:24






    • 2





      @Ooker: We can prevent execve() from working by ptrace() or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything.

      – Joshua
      Apr 11 at 1:57











    • @Joshua Shellcode from a browser exploit doesn't need to use execve(). And I guess you could change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call.

      – forest
      2 days ago


















    1














    Answer:



    Browsers are a big surface-area for security flaws and are a common source of bugs and weaknesses. While 'up-to-date' and 'secure' are not the same thing at all, having a robust browser will lower your exposure significantly, and in general newer (at the very least) means there will be fewer exploits 'in use' that will effect you. So yes this helps, and if it's the only way in to you system and if it behaves itself, then the OS only needs to behave in a sane way to prevent you from being exposed (sane in a way all likely OSs are).



    However:



    • Browsers are not the only source of security issues. There is nothing it can do to protect you from anything other than itself and in a compromised system the browser could be too.


    • OS level protections while not as good as not-having-the-bug-in-the-first-place and limit the damage of a bug.


    Hence:



    • What you use the machine for and what services it has running etc will significantly effect the other risks and hence the answer to your question. If there are lots of other risky targets open and listening, how good your browser is might not be very relevant at all.

    Advice:



    The accepted wisdom (in these parts) and the advice people line up to give is:



    "More security is more better, and more newer is more security.", which in this case translates to "Update your OS too".



    Both are reasonable in my opinion and I wouldn't council against updating. But:



    • It's not a silver bullet: no-one is ever 100% safe.

    • There is potentially a trade-off against other things like convenience (which are often wrongly overlooked).

    • There's always a slim possibility updating leads to you using Windows-10, and nobody wants that...





    share|improve this answer


















    • 1





      I Use Windows 10. In fact, I'm happily using it and having far less problems than any other operational system I have ever put my hands on. If microsoft wants to take a peek on my hardware and installed programs in exchange for a better, safer OS so be it. I prefer my stuff to be on the hands of a competent corporate company than on the hands of some weird guy that is know for having fits of angry rage because someone didn't keep with his arcane nomeclature scheme.

      – T. Sar
      Apr 10 at 18:47






    • 1





      @T.Sar Unfortunately, the issues with the privacy invasions are that those who are not benign can sometimes exploit this. This isn't limited to three letter agencies. I do want to note though that the issues with Windows telemetry aren't that it shows your hardware info and installed software to the developers. Even Debian Linux does that. Telemetry collects a lot more.

      – forest
      Apr 11 at 4:53












    • Win 10 hating: where to start? For one thing, yeah the borderline key-logging they're using to get into the personalised ad games are way worse than what hardware and software are installed. But the gripes don't stop with the privacy issues (though perhaps related). My personal main objection is it not conducive to doing what its told (perhaps to protect its data collection). I.e.: "please don't restart because you fancy it" -> "No but how about you can pick a few hours each day you super don't want me to power-cycle in?"...

      – ANone
      2 days ago











    • @ANone I don't have those issues at all. Are you sure you set up your win 10 properly?

      – T. Sar
      2 days ago











    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207122%2fis-an-up-to-date-browser-secure-on-an-out-of-date-os%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    4 Answers
    4






    active

    oldest

    votes








    4 Answers
    4






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    78














    Do not use an outdated OS, even with a modern browser.




    Assuming that after that day I still use an updated browser, is it true that I'm still safe?




    No, you cannot avoid browser-based security holes only by updating the browser. There are a few reasons for this. Primarily, the browser is not entirely self-contained. It makes use of operating system libraries, for example the system memory allocator. This allocator is designed to mitigate various memory corruption-related security issues. If the allocator is not kept up to date, memory exploitation bugs may be easier to perform against the browser, no matter how up to date the browser is.



    Another reason is that browser security often relies on OS sandboxing features. A powerful browser exploit must be combined with a so-called sandbox escape. How easy that escape is depends on how secure the operating system is as well as how secure the browser is. By using an outdated operating system, your browser is being protected by out of date and potentially vulnerable security features.




    Can it "patch" the OS-based security holes?




    No. Patching operating system vulnerabilities requires elevated privileges, which a browser does not have. Even if it did, browsers are not designed to modify system settings or system files. There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS.




    Minor question: typically, how long would the browsers stop supporting abandoned OS?




    Browser vendors typically publish when they will stop officially supporting a particular operating system. After that point, changes made to the browser that break on older systems will no longer be considered bugs and may not be fixed. Programs typically continue running on older systems for a very long time, however. They only stop working when they begin to rely on newer system APIs that aren't present in older versions. This is relatively rare. A browser should be able to run on an outdated operating system for many years, albeit not very securely, and without official support from the vendor. Most likely, as it begins to rely on newer and newer APIs, features in the browser will just start breaking one by one (especially security-related features) until it eventually does not start up at all.






    share|improve this answer




















    • 14





      Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place.

      – DreamConspiracy
      Apr 10 at 8:03






    • 5





      In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS.

      – Roger Lipscombe
      Apr 10 at 10:28






    • 6





      @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors).

      – James_pic
      Apr 10 at 11:51






    • 8





      @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else?

      – Voo
      Apr 10 at 15:00






    • 6





      Browsers stop supporting abandoned OS' long before they actually stop working. Chrome Supports Windows 7, IE Supports Windows 8.1, and Firefox Supports Windows 7

      – Mooing Duck
      Apr 10 at 19:34















    78














    Do not use an outdated OS, even with a modern browser.




    Assuming that after that day I still use an updated browser, is it true that I'm still safe?




    No, you cannot avoid browser-based security holes only by updating the browser. There are a few reasons for this. Primarily, the browser is not entirely self-contained. It makes use of operating system libraries, for example the system memory allocator. This allocator is designed to mitigate various memory corruption-related security issues. If the allocator is not kept up to date, memory exploitation bugs may be easier to perform against the browser, no matter how up to date the browser is.



    Another reason is that browser security often relies on OS sandboxing features. A powerful browser exploit must be combined with a so-called sandbox escape. How easy that escape is depends on how secure the operating system is as well as how secure the browser is. By using an outdated operating system, your browser is being protected by out of date and potentially vulnerable security features.




    Can it "patch" the OS-based security holes?




    No. Patching operating system vulnerabilities requires elevated privileges, which a browser does not have. Even if it did, browsers are not designed to modify system settings or system files. There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS.




    Minor question: typically, how long would the browsers stop supporting abandoned OS?




    Browser vendors typically publish when they will stop officially supporting a particular operating system. After that point, changes made to the browser that break on older systems will no longer be considered bugs and may not be fixed. Programs typically continue running on older systems for a very long time, however. They only stop working when they begin to rely on newer system APIs that aren't present in older versions. This is relatively rare. A browser should be able to run on an outdated operating system for many years, albeit not very securely, and without official support from the vendor. Most likely, as it begins to rely on newer and newer APIs, features in the browser will just start breaking one by one (especially security-related features) until it eventually does not start up at all.






    share|improve this answer




















    • 14





      Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place.

      – DreamConspiracy
      Apr 10 at 8:03






    • 5





      In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS.

      – Roger Lipscombe
      Apr 10 at 10:28






    • 6





      @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors).

      – James_pic
      Apr 10 at 11:51






    • 8





      @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else?

      – Voo
      Apr 10 at 15:00






    • 6





      Browsers stop supporting abandoned OS' long before they actually stop working. Chrome Supports Windows 7, IE Supports Windows 8.1, and Firefox Supports Windows 7

      – Mooing Duck
      Apr 10 at 19:34













    78












    78








    78







    Do not use an outdated OS, even with a modern browser.




    Assuming that after that day I still use an updated browser, is it true that I'm still safe?




    No, you cannot avoid browser-based security holes only by updating the browser. There are a few reasons for this. Primarily, the browser is not entirely self-contained. It makes use of operating system libraries, for example the system memory allocator. This allocator is designed to mitigate various memory corruption-related security issues. If the allocator is not kept up to date, memory exploitation bugs may be easier to perform against the browser, no matter how up to date the browser is.



    Another reason is that browser security often relies on OS sandboxing features. A powerful browser exploit must be combined with a so-called sandbox escape. How easy that escape is depends on how secure the operating system is as well as how secure the browser is. By using an outdated operating system, your browser is being protected by out of date and potentially vulnerable security features.




    Can it "patch" the OS-based security holes?




    No. Patching operating system vulnerabilities requires elevated privileges, which a browser does not have. Even if it did, browsers are not designed to modify system settings or system files. There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS.




    Minor question: typically, how long would the browsers stop supporting abandoned OS?




    Browser vendors typically publish when they will stop officially supporting a particular operating system. After that point, changes made to the browser that break on older systems will no longer be considered bugs and may not be fixed. Programs typically continue running on older systems for a very long time, however. They only stop working when they begin to rely on newer system APIs that aren't present in older versions. This is relatively rare. A browser should be able to run on an outdated operating system for many years, albeit not very securely, and without official support from the vendor. Most likely, as it begins to rely on newer and newer APIs, features in the browser will just start breaking one by one (especially security-related features) until it eventually does not start up at all.






    share|improve this answer















    Do not use an outdated OS, even with a modern browser.




    Assuming that after that day I still use an updated browser, is it true that I'm still safe?




    No, you cannot avoid browser-based security holes only by updating the browser. There are a few reasons for this. Primarily, the browser is not entirely self-contained. It makes use of operating system libraries, for example the system memory allocator. This allocator is designed to mitigate various memory corruption-related security issues. If the allocator is not kept up to date, memory exploitation bugs may be easier to perform against the browser, no matter how up to date the browser is.



    Another reason is that browser security often relies on OS sandboxing features. A powerful browser exploit must be combined with a so-called sandbox escape. How easy that escape is depends on how secure the operating system is as well as how secure the browser is. By using an outdated operating system, your browser is being protected by out of date and potentially vulnerable security features.




    Can it "patch" the OS-based security holes?




    No. Patching operating system vulnerabilities requires elevated privileges, which a browser does not have. Even if it did, browsers are not designed to modify system settings or system files. There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS.




    Minor question: typically, how long would the browsers stop supporting abandoned OS?




    Browser vendors typically publish when they will stop officially supporting a particular operating system. After that point, changes made to the browser that break on older systems will no longer be considered bugs and may not be fixed. Programs typically continue running on older systems for a very long time, however. They only stop working when they begin to rely on newer system APIs that aren't present in older versions. This is relatively rare. A browser should be able to run on an outdated operating system for many years, albeit not very securely, and without official support from the vendor. Most likely, as it begins to rely on newer and newer APIs, features in the browser will just start breaking one by one (especially security-related features) until it eventually does not start up at all.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited yesterday

























    answered Apr 10 at 2:53









    forestforest

    40.4k18131146




    40.4k18131146







    • 14





      Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place.

      – DreamConspiracy
      Apr 10 at 8:03






    • 5





      In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS.

      – Roger Lipscombe
      Apr 10 at 10:28






    • 6





      @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors).

      – James_pic
      Apr 10 at 11:51






    • 8





      @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else?

      – Voo
      Apr 10 at 15:00






    • 6





      Browsers stop supporting abandoned OS' long before they actually stop working. Chrome Supports Windows 7, IE Supports Windows 8.1, and Firefox Supports Windows 7

      – Mooing Duck
      Apr 10 at 19:34












    • 14





      Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place.

      – DreamConspiracy
      Apr 10 at 8:03






    • 5





      In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS.

      – Roger Lipscombe
      Apr 10 at 10:28






    • 6





      @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors).

      – James_pic
      Apr 10 at 11:51






    • 8





      @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else?

      – Voo
      Apr 10 at 15:00






    • 6





      Browsers stop supporting abandoned OS' long before they actually stop working. Chrome Supports Windows 7, IE Supports Windows 8.1, and Firefox Supports Windows 7

      – Mooing Duck
      Apr 10 at 19:34







    14




    14





    Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place.

    – DreamConspiracy
    Apr 10 at 8:03





    Re: "There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS". Well... There might be. But they would likely end up patching whatever security vulnerability allowed them to work in the first place.

    – DreamConspiracy
    Apr 10 at 8:03




    5




    5





    In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS.

    – Roger Lipscombe
    Apr 10 at 10:28





    In addition to the memory allocator example you give: The browser uses the OS networking stack, which might have vulnerabilities. Above that, the browser might use the OS implementation of TLS.

    – Roger Lipscombe
    Apr 10 at 10:28




    6




    6





    @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors).

    – James_pic
    Apr 10 at 11:51





    @Ooker I believe there have been instances where attackers (who in the cases I'm thinking of, were believed to be nation state actors) compromised a high-value system, then applied the necessary security updates to the system to prevent anyone else compromising it (presumably because they were worried about other nation state actors).

    – James_pic
    Apr 10 at 11:51




    8




    8





    @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else?

    – Voo
    Apr 10 at 15:00





    @james I don't think we have to go that far (state sponsored malware). It's common for standard malware to patch the system after they've gotten access. Why share your valuable infected system with someone else?

    – Voo
    Apr 10 at 15:00




    6




    6





    Browsers stop supporting abandoned OS' long before they actually stop working. Chrome Supports Windows 7, IE Supports Windows 8.1, and Firefox Supports Windows 7

    – Mooing Duck
    Apr 10 at 19:34





    Browsers stop supporting abandoned OS' long before they actually stop working. Chrome Supports Windows 7, IE Supports Windows 8.1, and Firefox Supports Windows 7

    – Mooing Duck
    Apr 10 at 19:34













    12














    One benefit of the newer operating systems, like Windows 10 over Windows 7, is that they have more advanced features built in to the operating system to protect against entire classes of vulnerabilities.



    There have actually been examples of web browsers being more secure on Windows 10 than Windows 7 even though Windows 7 is still supported! See for example this Google security vulnerability disclosure.



    There was a vulnerability in Chrome, but Google's researchers believe that it was only exploitable in Windows 7 due to an additional vulnerability in that version of Windows. The additional protections in Windows 10 protected the system despite the browser vulnerability.



    To answer your question about how long the browser will support legacy operating systems: Firefox for example supported Windows XP and Windows Vista until June 2018, which was well after the end of support dates for those operating systems (2014 and 2017 respectively). In their announcement, they claim to have ended support because the operating systems had known exploits which made it difficult to maintain Firefox.



    Chrome supported Windows XP and Vista until version 50, which came out in April 2016 (they stopped supporting Vista before Microsoft did!)






    share|improve this answer








    New contributor




    kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.
























      12














      One benefit of the newer operating systems, like Windows 10 over Windows 7, is that they have more advanced features built in to the operating system to protect against entire classes of vulnerabilities.



      There have actually been examples of web browsers being more secure on Windows 10 than Windows 7 even though Windows 7 is still supported! See for example this Google security vulnerability disclosure.



      There was a vulnerability in Chrome, but Google's researchers believe that it was only exploitable in Windows 7 due to an additional vulnerability in that version of Windows. The additional protections in Windows 10 protected the system despite the browser vulnerability.



      To answer your question about how long the browser will support legacy operating systems: Firefox for example supported Windows XP and Windows Vista until June 2018, which was well after the end of support dates for those operating systems (2014 and 2017 respectively). In their announcement, they claim to have ended support because the operating systems had known exploits which made it difficult to maintain Firefox.



      Chrome supported Windows XP and Vista until version 50, which came out in April 2016 (they stopped supporting Vista before Microsoft did!)






      share|improve this answer








      New contributor




      kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















        12












        12








        12







        One benefit of the newer operating systems, like Windows 10 over Windows 7, is that they have more advanced features built in to the operating system to protect against entire classes of vulnerabilities.



        There have actually been examples of web browsers being more secure on Windows 10 than Windows 7 even though Windows 7 is still supported! See for example this Google security vulnerability disclosure.



        There was a vulnerability in Chrome, but Google's researchers believe that it was only exploitable in Windows 7 due to an additional vulnerability in that version of Windows. The additional protections in Windows 10 protected the system despite the browser vulnerability.



        To answer your question about how long the browser will support legacy operating systems: Firefox for example supported Windows XP and Windows Vista until June 2018, which was well after the end of support dates for those operating systems (2014 and 2017 respectively). In their announcement, they claim to have ended support because the operating systems had known exploits which made it difficult to maintain Firefox.



        Chrome supported Windows XP and Vista until version 50, which came out in April 2016 (they stopped supporting Vista before Microsoft did!)






        share|improve this answer








        New contributor




        kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.










        One benefit of the newer operating systems, like Windows 10 over Windows 7, is that they have more advanced features built in to the operating system to protect against entire classes of vulnerabilities.



        There have actually been examples of web browsers being more secure on Windows 10 than Windows 7 even though Windows 7 is still supported! See for example this Google security vulnerability disclosure.



        There was a vulnerability in Chrome, but Google's researchers believe that it was only exploitable in Windows 7 due to an additional vulnerability in that version of Windows. The additional protections in Windows 10 protected the system despite the browser vulnerability.



        To answer your question about how long the browser will support legacy operating systems: Firefox for example supported Windows XP and Windows Vista until June 2018, which was well after the end of support dates for those operating systems (2014 and 2017 respectively). In their announcement, they claim to have ended support because the operating systems had known exploits which made it difficult to maintain Firefox.



        Chrome supported Windows XP and Vista until version 50, which came out in April 2016 (they stopped supporting Vista before Microsoft did!)







        share|improve this answer








        New contributor




        kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered Apr 10 at 16:23









        kepstinkepstin

        1212




        1212




        New contributor




        kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        kepstin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





















            7














            Oh goodie a surface area question.



            The surface area of attacks against the OS via the browser varies wildly with the browser. With Internet Explorer, the surface area is vast. On the other hand, Firefox mostly uses its own decoders for everything, crushing the surface area down to only a few pieces. In any case, the TCP stack, DNS, and the font rendering engine remain attack targets. It is unwise to assume the attacker will not select a vulnerability that will actually work, and I see GDI+ remote code execution vulnerabilities every few months almost like clockwork.



            Don't do it man. At least not on Windows. On Linux we can do exotic things that make shellcode not work that would at least make the attacker have to target you specifically. But if you haven't done them don't do it on Linux either.






            share|improve this answer























            • why can we make shellcode not working on Linux but not on Windows?

              – Ooker
              Apr 11 at 1:24






            • 2





              @Ooker: We can prevent execve() from working by ptrace() or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything.

              – Joshua
              Apr 11 at 1:57











            • @Joshua Shellcode from a browser exploit doesn't need to use execve(). And I guess you could change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call.

              – forest
              2 days ago















            7














            Oh goodie a surface area question.



            The surface area of attacks against the OS via the browser varies wildly with the browser. With Internet Explorer, the surface area is vast. On the other hand, Firefox mostly uses its own decoders for everything, crushing the surface area down to only a few pieces. In any case, the TCP stack, DNS, and the font rendering engine remain attack targets. It is unwise to assume the attacker will not select a vulnerability that will actually work, and I see GDI+ remote code execution vulnerabilities every few months almost like clockwork.



            Don't do it man. At least not on Windows. On Linux we can do exotic things that make shellcode not work that would at least make the attacker have to target you specifically. But if you haven't done them don't do it on Linux either.






            share|improve this answer























            • why can we make shellcode not working on Linux but not on Windows?

              – Ooker
              Apr 11 at 1:24






            • 2





              @Ooker: We can prevent execve() from working by ptrace() or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything.

              – Joshua
              Apr 11 at 1:57











            • @Joshua Shellcode from a browser exploit doesn't need to use execve(). And I guess you could change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call.

              – forest
              2 days ago













            7












            7








            7







            Oh goodie a surface area question.



            The surface area of attacks against the OS via the browser varies wildly with the browser. With Internet Explorer, the surface area is vast. On the other hand, Firefox mostly uses its own decoders for everything, crushing the surface area down to only a few pieces. In any case, the TCP stack, DNS, and the font rendering engine remain attack targets. It is unwise to assume the attacker will not select a vulnerability that will actually work, and I see GDI+ remote code execution vulnerabilities every few months almost like clockwork.



            Don't do it man. At least not on Windows. On Linux we can do exotic things that make shellcode not work that would at least make the attacker have to target you specifically. But if you haven't done them don't do it on Linux either.






            share|improve this answer













            Oh goodie a surface area question.



            The surface area of attacks against the OS via the browser varies wildly with the browser. With Internet Explorer, the surface area is vast. On the other hand, Firefox mostly uses its own decoders for everything, crushing the surface area down to only a few pieces. In any case, the TCP stack, DNS, and the font rendering engine remain attack targets. It is unwise to assume the attacker will not select a vulnerability that will actually work, and I see GDI+ remote code execution vulnerabilities every few months almost like clockwork.



            Don't do it man. At least not on Windows. On Linux we can do exotic things that make shellcode not work that would at least make the attacker have to target you specifically. But if you haven't done them don't do it on Linux either.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Apr 10 at 23:06









            JoshuaJoshua

            79748




            79748












            • why can we make shellcode not working on Linux but not on Windows?

              – Ooker
              Apr 11 at 1:24






            • 2





              @Ooker: We can prevent execve() from working by ptrace() or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything.

              – Joshua
              Apr 11 at 1:57











            • @Joshua Shellcode from a browser exploit doesn't need to use execve(). And I guess you could change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call.

              – forest
              2 days ago

















            • why can we make shellcode not working on Linux but not on Windows?

              – Ooker
              Apr 11 at 1:24






            • 2





              @Ooker: We can prevent execve() from working by ptrace() or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything.

              – Joshua
              Apr 11 at 1:57











            • @Joshua Shellcode from a browser exploit doesn't need to use execve(). And I guess you could change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call.

              – forest
              2 days ago
















            why can we make shellcode not working on Linux but not on Windows?

            – Ooker
            Apr 11 at 1:24





            why can we make shellcode not working on Linux but not on Windows?

            – Ooker
            Apr 11 at 1:24




            2




            2





            @Ooker: We can prevent execve() from working by ptrace() or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything.

            – Joshua
            Apr 11 at 1:57





            @Ooker: We can prevent execve() from working by ptrace() or LSM or something more exotic. We can also move the syscall gate but that doesn't block everything.

            – Joshua
            Apr 11 at 1:57













            @Joshua Shellcode from a browser exploit doesn't need to use execve(). And I guess you could change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call.

            – forest
            2 days ago





            @Joshua Shellcode from a browser exploit doesn't need to use execve(). And I guess you could change the syscall numbers but that would require patching your libc and adjusting all manual assembly that invokes syscalls. Not to mention, it'd be totally useless if the shellcode abused a library call.

            – forest
            2 days ago











            1














            Answer:



            Browsers are a big surface-area for security flaws and are a common source of bugs and weaknesses. While 'up-to-date' and 'secure' are not the same thing at all, having a robust browser will lower your exposure significantly, and in general newer (at the very least) means there will be fewer exploits 'in use' that will effect you. So yes this helps, and if it's the only way in to you system and if it behaves itself, then the OS only needs to behave in a sane way to prevent you from being exposed (sane in a way all likely OSs are).



            However:



            • Browsers are not the only source of security issues. There is nothing it can do to protect you from anything other than itself and in a compromised system the browser could be too.


            • OS level protections while not as good as not-having-the-bug-in-the-first-place and limit the damage of a bug.


            Hence:



            • What you use the machine for and what services it has running etc will significantly effect the other risks and hence the answer to your question. If there are lots of other risky targets open and listening, how good your browser is might not be very relevant at all.

            Advice:



            The accepted wisdom (in these parts) and the advice people line up to give is:



            "More security is more better, and more newer is more security.", which in this case translates to "Update your OS too".



            Both are reasonable in my opinion and I wouldn't council against updating. But:



            • It's not a silver bullet: no-one is ever 100% safe.

            • There is potentially a trade-off against other things like convenience (which are often wrongly overlooked).

            • There's always a slim possibility updating leads to you using Windows-10, and nobody wants that...





            share|improve this answer


















            • 1





              I Use Windows 10. In fact, I'm happily using it and having far less problems than any other operational system I have ever put my hands on. If microsoft wants to take a peek on my hardware and installed programs in exchange for a better, safer OS so be it. I prefer my stuff to be on the hands of a competent corporate company than on the hands of some weird guy that is know for having fits of angry rage because someone didn't keep with his arcane nomeclature scheme.

              – T. Sar
              Apr 10 at 18:47






            • 1





              @T.Sar Unfortunately, the issues with the privacy invasions are that those who are not benign can sometimes exploit this. This isn't limited to three letter agencies. I do want to note though that the issues with Windows telemetry aren't that it shows your hardware info and installed software to the developers. Even Debian Linux does that. Telemetry collects a lot more.

              – forest
              Apr 11 at 4:53












            • Win 10 hating: where to start? For one thing, yeah the borderline key-logging they're using to get into the personalised ad games are way worse than what hardware and software are installed. But the gripes don't stop with the privacy issues (though perhaps related). My personal main objection is it not conducive to doing what its told (perhaps to protect its data collection). I.e.: "please don't restart because you fancy it" -> "No but how about you can pick a few hours each day you super don't want me to power-cycle in?"...

              – ANone
              2 days ago











            • @ANone I don't have those issues at all. Are you sure you set up your win 10 properly?

              – T. Sar
              2 days ago















            1














            Answer:



            Browsers are a big surface-area for security flaws and are a common source of bugs and weaknesses. While 'up-to-date' and 'secure' are not the same thing at all, having a robust browser will lower your exposure significantly, and in general newer (at the very least) means there will be fewer exploits 'in use' that will effect you. So yes this helps, and if it's the only way in to you system and if it behaves itself, then the OS only needs to behave in a sane way to prevent you from being exposed (sane in a way all likely OSs are).



            However:



            • Browsers are not the only source of security issues. There is nothing it can do to protect you from anything other than itself and in a compromised system the browser could be too.


            • OS level protections while not as good as not-having-the-bug-in-the-first-place and limit the damage of a bug.


            Hence:



            • What you use the machine for and what services it has running etc will significantly effect the other risks and hence the answer to your question. If there are lots of other risky targets open and listening, how good your browser is might not be very relevant at all.

            Advice:



            The accepted wisdom (in these parts) and the advice people line up to give is:



            "More security is more better, and more newer is more security.", which in this case translates to "Update your OS too".



            Both are reasonable in my opinion and I wouldn't council against updating. But:



            • It's not a silver bullet: no-one is ever 100% safe.

            • There is potentially a trade-off against other things like convenience (which are often wrongly overlooked).

            • There's always a slim possibility updating leads to you using Windows-10, and nobody wants that...





            share|improve this answer


















            • 1





              I Use Windows 10. In fact, I'm happily using it and having far less problems than any other operational system I have ever put my hands on. If microsoft wants to take a peek on my hardware and installed programs in exchange for a better, safer OS so be it. I prefer my stuff to be on the hands of a competent corporate company than on the hands of some weird guy that is know for having fits of angry rage because someone didn't keep with his arcane nomeclature scheme.

              – T. Sar
              Apr 10 at 18:47






            • 1





              @T.Sar Unfortunately, the issues with the privacy invasions are that those who are not benign can sometimes exploit this. This isn't limited to three letter agencies. I do want to note though that the issues with Windows telemetry aren't that it shows your hardware info and installed software to the developers. Even Debian Linux does that. Telemetry collects a lot more.

              – forest
              Apr 11 at 4:53












            • Win 10 hating: where to start? For one thing, yeah the borderline key-logging they're using to get into the personalised ad games are way worse than what hardware and software are installed. But the gripes don't stop with the privacy issues (though perhaps related). My personal main objection is it not conducive to doing what its told (perhaps to protect its data collection). I.e.: "please don't restart because you fancy it" -> "No but how about you can pick a few hours each day you super don't want me to power-cycle in?"...

              – ANone
              2 days ago











            • @ANone I don't have those issues at all. Are you sure you set up your win 10 properly?

              – T. Sar
              2 days ago













            1












            1








            1







            Answer:



            Browsers are a big surface-area for security flaws and are a common source of bugs and weaknesses. While 'up-to-date' and 'secure' are not the same thing at all, having a robust browser will lower your exposure significantly, and in general newer (at the very least) means there will be fewer exploits 'in use' that will effect you. So yes this helps, and if it's the only way in to you system and if it behaves itself, then the OS only needs to behave in a sane way to prevent you from being exposed (sane in a way all likely OSs are).



            However:



            • Browsers are not the only source of security issues. There is nothing it can do to protect you from anything other than itself and in a compromised system the browser could be too.


            • OS level protections while not as good as not-having-the-bug-in-the-first-place and limit the damage of a bug.


            Hence:



            • What you use the machine for and what services it has running etc will significantly effect the other risks and hence the answer to your question. If there are lots of other risky targets open and listening, how good your browser is might not be very relevant at all.

            Advice:



            The accepted wisdom (in these parts) and the advice people line up to give is:



            "More security is more better, and more newer is more security.", which in this case translates to "Update your OS too".



            Both are reasonable in my opinion and I wouldn't council against updating. But:



            • It's not a silver bullet: no-one is ever 100% safe.

            • There is potentially a trade-off against other things like convenience (which are often wrongly overlooked).

            • There's always a slim possibility updating leads to you using Windows-10, and nobody wants that...





            share|improve this answer













            Answer:



            Browsers are a big surface-area for security flaws and are a common source of bugs and weaknesses. While 'up-to-date' and 'secure' are not the same thing at all, having a robust browser will lower your exposure significantly, and in general newer (at the very least) means there will be fewer exploits 'in use' that will effect you. So yes this helps, and if it's the only way in to you system and if it behaves itself, then the OS only needs to behave in a sane way to prevent you from being exposed (sane in a way all likely OSs are).



            However:



            • Browsers are not the only source of security issues. There is nothing it can do to protect you from anything other than itself and in a compromised system the browser could be too.


            • OS level protections while not as good as not-having-the-bug-in-the-first-place and limit the damage of a bug.


            Hence:



            • What you use the machine for and what services it has running etc will significantly effect the other risks and hence the answer to your question. If there are lots of other risky targets open and listening, how good your browser is might not be very relevant at all.

            Advice:



            The accepted wisdom (in these parts) and the advice people line up to give is:



            "More security is more better, and more newer is more security.", which in this case translates to "Update your OS too".



            Both are reasonable in my opinion and I wouldn't council against updating. But:



            • It's not a silver bullet: no-one is ever 100% safe.

            • There is potentially a trade-off against other things like convenience (which are often wrongly overlooked).

            • There's always a slim possibility updating leads to you using Windows-10, and nobody wants that...






            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Apr 10 at 16:24









            ANoneANone

            1993




            1993







            • 1





              I Use Windows 10. In fact, I'm happily using it and having far less problems than any other operational system I have ever put my hands on. If microsoft wants to take a peek on my hardware and installed programs in exchange for a better, safer OS so be it. I prefer my stuff to be on the hands of a competent corporate company than on the hands of some weird guy that is know for having fits of angry rage because someone didn't keep with his arcane nomeclature scheme.

              – T. Sar
              Apr 10 at 18:47






            • 1





              @T.Sar Unfortunately, the issues with the privacy invasions are that those who are not benign can sometimes exploit this. This isn't limited to three letter agencies. I do want to note though that the issues with Windows telemetry aren't that it shows your hardware info and installed software to the developers. Even Debian Linux does that. Telemetry collects a lot more.

              – forest
              Apr 11 at 4:53












            • Win 10 hating: where to start? For one thing, yeah the borderline key-logging they're using to get into the personalised ad games are way worse than what hardware and software are installed. But the gripes don't stop with the privacy issues (though perhaps related). My personal main objection is it not conducive to doing what its told (perhaps to protect its data collection). I.e.: "please don't restart because you fancy it" -> "No but how about you can pick a few hours each day you super don't want me to power-cycle in?"...

              – ANone
              2 days ago











            • @ANone I don't have those issues at all. Are you sure you set up your win 10 properly?

              – T. Sar
              2 days ago












            • 1





              I Use Windows 10. In fact, I'm happily using it and having far less problems than any other operational system I have ever put my hands on. If microsoft wants to take a peek on my hardware and installed programs in exchange for a better, safer OS so be it. I prefer my stuff to be on the hands of a competent corporate company than on the hands of some weird guy that is know for having fits of angry rage because someone didn't keep with his arcane nomeclature scheme.

              – T. Sar
              Apr 10 at 18:47






            • 1





              @T.Sar Unfortunately, the issues with the privacy invasions are that those who are not benign can sometimes exploit this. This isn't limited to three letter agencies. I do want to note though that the issues with Windows telemetry aren't that it shows your hardware info and installed software to the developers. Even Debian Linux does that. Telemetry collects a lot more.

              – forest
              Apr 11 at 4:53












            • Win 10 hating: where to start? For one thing, yeah the borderline key-logging they're using to get into the personalised ad games are way worse than what hardware and software are installed. But the gripes don't stop with the privacy issues (though perhaps related). My personal main objection is it not conducive to doing what its told (perhaps to protect its data collection). I.e.: "please don't restart because you fancy it" -> "No but how about you can pick a few hours each day you super don't want me to power-cycle in?"...

              – ANone
              2 days ago











            • @ANone I don't have those issues at all. Are you sure you set up your win 10 properly?

              – T. Sar
              2 days ago







            1




            1





            I Use Windows 10. In fact, I'm happily using it and having far less problems than any other operational system I have ever put my hands on. If microsoft wants to take a peek on my hardware and installed programs in exchange for a better, safer OS so be it. I prefer my stuff to be on the hands of a competent corporate company than on the hands of some weird guy that is know for having fits of angry rage because someone didn't keep with his arcane nomeclature scheme.

            – T. Sar
            Apr 10 at 18:47





            I Use Windows 10. In fact, I'm happily using it and having far less problems than any other operational system I have ever put my hands on. If microsoft wants to take a peek on my hardware and installed programs in exchange for a better, safer OS so be it. I prefer my stuff to be on the hands of a competent corporate company than on the hands of some weird guy that is know for having fits of angry rage because someone didn't keep with his arcane nomeclature scheme.

            – T. Sar
            Apr 10 at 18:47




            1




            1





            @T.Sar Unfortunately, the issues with the privacy invasions are that those who are not benign can sometimes exploit this. This isn't limited to three letter agencies. I do want to note though that the issues with Windows telemetry aren't that it shows your hardware info and installed software to the developers. Even Debian Linux does that. Telemetry collects a lot more.

            – forest
            Apr 11 at 4:53






            @T.Sar Unfortunately, the issues with the privacy invasions are that those who are not benign can sometimes exploit this. This isn't limited to three letter agencies. I do want to note though that the issues with Windows telemetry aren't that it shows your hardware info and installed software to the developers. Even Debian Linux does that. Telemetry collects a lot more.

            – forest
            Apr 11 at 4:53














            Win 10 hating: where to start? For one thing, yeah the borderline key-logging they're using to get into the personalised ad games are way worse than what hardware and software are installed. But the gripes don't stop with the privacy issues (though perhaps related). My personal main objection is it not conducive to doing what its told (perhaps to protect its data collection). I.e.: "please don't restart because you fancy it" -> "No but how about you can pick a few hours each day you super don't want me to power-cycle in?"...

            – ANone
            2 days ago





            Win 10 hating: where to start? For one thing, yeah the borderline key-logging they're using to get into the personalised ad games are way worse than what hardware and software are installed. But the gripes don't stop with the privacy issues (though perhaps related). My personal main objection is it not conducive to doing what its told (perhaps to protect its data collection). I.e.: "please don't restart because you fancy it" -> "No but how about you can pick a few hours each day you super don't want me to power-cycle in?"...

            – ANone
            2 days ago













            @ANone I don't have those issues at all. Are you sure you set up your win 10 properly?

            – T. Sar
            2 days ago





            @ANone I don't have those issues at all. Are you sure you set up your win 10 properly?

            – T. Sar
            2 days ago

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207122%2fis-an-up-to-date-browser-secure-on-an-out-of-date-os%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Sum ergo cogito? 1 nng

            三茅街道4182Guuntc Dn precexpngmageondP