Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What’s the Risk of Using Unsupported Software?

Become a Patron of Ask Leo! and go ad-free!

Transcript

Show Transcript

Podcast audio

Play

25 comments on “What’s the Risk of Using Unsupported Software?”

  1. “In reality, if you can educate yourself, if you can start to feel comfortable about being able to determine what is and what isn’t safe to do on the internet, you can probably continue to use Chrome for quite some time, probably until it’s time actually replace the machine for other reasons.” – I kinda disagree with this. Education and caution provide no protection from things like malvertising/drive-by downloads/installs – which, as we’ve seen recently, can be propagated via even well-known and reputable websites.

    “Seriously, a backup is by far the number one way to protect yourself from just about anything.” – I kinda disagree with this too. Much of the malware that’s out there today is financially motivated and designed to steal banking passwords/credentials, etc. Sure, a backup may – or may not – enable you to get your computer back to a pre-infection state but, by that time, your passwords and personal information could be long gone.

    When it comes to OSes, browsers and browser plug-ins, the only good option is to use products that are supported. Using something that isn’t supported could result in you getting an unpleasant surprise when you next check your bank balance.

    • An example to highlight the risks: a malvertising campaign in March of this year distributed both crypto ransomware and banking/credential-stealing malware via a compromised ad network that pushed ads to the websites of the NYT, NFL, BBC, AOL as well as numerous other well-known websites. The campaign used the Angler Exploit Kit which automatically checks for vulnerabilities in outdated/unsupported browsers and browser plug-ins, and then exploits those vulnerabilities to deliver its payload.

      http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/

      As I said, education and caution provide no protection from such threats. And your antivirus program may not provide protection either as these attacks typically make use sophisticated obfuscation methods in order to avoid being detected (and there are tools out there that enable the bad guys to quickly and automatically obfuscate code and check the effectiveness of the obfuscation by testing it against every antivirus program on the market).

      The bottom line is that it’s exceptionally risky to use an outdated/unsupported OS or outdated/unsupported programs.

      • Wow, Ray, you seem to have an extraordinary fear of all things Internet. Once upon a time, in one of these comments, you wrote “… you shouldn’t be using an application which your do not trust …” If that’s the case, then at any moment, any OS or application can be vulnerable because it hasn’t updated yet within the last hour (perhaps an exaggeration, but not really). I think Leo is correct that a user’s personal understanding of threats, pattern of Internet usage, and diligence in backing up are factors in Internet safety. If you’re a target of an attack because you clicked on the wrong link, an updated or “supported” software is not likely to save you. There is a reason that software vendors have all sorts of disclaimers about damage to your system in their license agreements. My disclaimer: this is not an endorsement for using outdated software.

        • “Wow, Ray, you seem to have an extraordinary fear of all things Internet.” – Not at all. In fact, if you keep your system updated, run an antivirus program and exercise commonsense, it’s exceptionally unlikely that your machine will ever be compromised. However, if you don’t do those things, then it’s much more likely that your machine will be compromised – quite possibly in the manner that I described above.

          “Once upon a time, in one of these comments, you wrote “… you shouldn’t be using an application which your do not trust …”” – Indeed. If you have reason not to trust an app – say, because it comes bundled with questionable PUPs or because the developer has a bad rep and a woolly privacy policy – then don’t use the app. That’s simply commonsense.

          “If that’s the case, then at any moment, any OS or application can be vulnerable because it hasn’t updated yet within the last hour (perhaps an exaggeration, but not really).” – Sure, anything’s possible. Even if you’re a knowledgeable user who keep his system updated and always exercises commonsense, you could still be hit. But the chances of it happening are substantially reduced – in fact, they’re close to zero.

          • What your are saying is totally logical. I am really on your side with regard to this discussion. When you play it on the safe side, i.e. being up-to-date on every aspect of your daily computing, you definitely reduce the chance of being hit by viruses, malware etc.. very good reasoning.

  2. One thing that often happen when any software become unsuported on a given platform is that, although it continue to get devlopped and probably continue to work, it’s no longer been tested on that platform.
    This may have no impact on you, but it can also mean that, after any update, that application may no longer work, or work erraticaly.
    Here, Chrome is no longer been supported on Vista. So, the peoples working on Chrome no longer have any computer running Vista to test it on. The next update or version may or may not work correctly. Some addons and extentions may also fail to work properly or at all.

  3. I think that Leo is sketching the right answers, but I’d agree with Ray that continuing to use an unsupported browser is a very bad idea. Continuing to use, say, an unsupported scientific program that does some calculations or the like, would be much less of a problem. Actually, I have a few such cases. If the software does what it has to do, and you’re happy with that, that’s good enough…. as long as it runs off line. However, if there’s something a browser doesn’t do very well, is to run on an airgapped machine 🙂
    So there’s the security issue that Leo pointed out (and I agree with Ray that especially for a browser, that’s a very, very serious issue !). But also, the web evolves, uses new protocols, updates old protocols, and so on, and if you are stuck with a non-evolving browser, that’s going to work less and less well.
    So no, if there’s *one* piece of software on a computer that should remain up-to-date, it is your browser. If you use an old version of Mathematica, that’s OK. But using an old browser is definitely no-go.

    However, you should ask yourself the question: why do you want to continue to use Chrome, and what stops you from switching to one that is up-to-date ? Why do you want to continue to use Vista ? What’s more important to you, keeping the browser, or keeping the OS ?
    If all you ever do is browse the web with Chrome, and you have essentially no other use for your computer, I’d definitely switch to linux. You can install chrome on ubuntu http://askubuntu.com/questions/510056/how-to-install-google-chrome
    The nice thing about linux is that it isn’t a resource-hog, and a fairly old machine that came with vista will run like a charm under linux.
    If you want to keep the windows way of doing because you also do other things on your computer, I’d upgrade windows, although that costs money (that would be one of the reasons to switch to linux).
    And finally, if browsing is only one of the things you do on your machine and you don’t want nor free linux, nor spend money on a windows upgrade, why don’t you use firefox ?

    But no, don’t continue to use an outdated chrome.

    • “Continuing to use, say, an unsupported scientific program that does some calculations or the like, would be much less of a problem. ” – Yeah, browsers – and anything that plugs into the browser – are the big risks. Other things can be risky too – rendering engines in older email clients and macro handling in older versions of Word, for example – but the browser and its plugins are the main concern.

  4. It’s not clear if Cheryl, the original ‘question asker’ is technically competent in PC management [as some of us are] or just a ‘user’ who’s gone out and bought a PC to do some Computer related work. That answer will mean that the solution to her query is totally different based on her ability to tweak PCs.

    However, one would ask why Google don’t support Vista as a host for Chrome, as Vista is not yet ‘out of support’. It’s not like XP, a dead product; Vista End of Life is 2017! For non-technical people who have trusted Vista software to work and be updated until Vista ‘End of Life’, this decision by Google has let them down.
    if Cheryl’s is ‘watching’ these responses, perhaps she’ll let us know her requirements and capabilities; that is, do you need Windows? Can you install an Operating system? What sort of system have you got – memory, CPU, etc? and the more technical of us will come to her rescue.

    • “Vista End of Life is 2017!” – Mainstream support for Vista ended in 2012; extended support ends in 2017.

      • Microsoft’s support policy states that EXTENDED SUPPORT includes ALL SECURITY UPDATES for vulnerabilities that affect the operating system. I have to agree with Julian here. One SHOULD ask why Google doesn’t support Chrome on Vista — at least in regard to security issues. Microsoft continues to patch security holes in Vista (and in IE9 on Vista) thru April 2017. Shouldn’t Google provide that same level of support for Chrome?

        • “Should”? I’m not sure there’s any requirement that they do anything at all. Google is perfectly free to make the decisions they choose to make at any time, without regard to what other software vendors (like Microsoft) have chosen to do. (And we are perfectly free to go elsewhere if we don’t like those decisions.) My guess is they’ve done some usage/market analysis and determined that the costs of continuing to support it on Vista don’t outweigh whatever they’re comparing against. In other words it’s very likely a business decision.

        • I’d guess that Google either wants to build features into Chrome that would not be easily supported by Vista and/or there are not enough people using Chrome on Vista to make it worth the company’s while to support the combination. The company’s decision could be partly due to hardware requirements too. The majority of people using Vista are likely doing so on decade-old machines – or possibly even older if the machines were upgraded from a previous OS – which may or may deliver a particularly good experience and which may or may not be more complex to support.

        • Microsoft has to support their older systems, because they committed to a support schedule when they released the software. That’s pretty much a marketing necessity with paid software. Google has made no such commitment when they released Chrome. Such a commitment wouldn’t be expected with free software. The old saying, “You get what you paid for,” kind of applies.

  5. In March, Google also dropped support for Chrome on 32 bit Linux and pulled the download of the last supported version from their web site. So if you have an older computer, and/or have installed 32 bit Linux, you can’t install Chrome unledss you saved the installer previously … and if you do it won’t be a supported version. You can run Chromium which is almost the same thing. However not quite. Nexflix won’t run on Chromium, only Chrome.

  6. I agree that having as much going for you as possible increases security odds, so running unsupported software is too much of a security odds decreaser to realistically contemplate for most users. As Pete says, Google has ceased support for only the 32 bit version of Chrome on Linux, and this may be the same on Vista. If Cheryl is wanting to keep her older machine and it is 32 bit, not 64 bit, the best option is to switch to a supported browser. Unless she has specific software not supported by Linux, switching to Linux would also allow for the machine’s useful life to be much further extended, and also remove the threat from the vast majority of Windows based malware.

  7. For anyone looking for alternative browsers with continued support for Windows XP and Vista:

    Pale Moon (an Open Source, Goanna-based web browser forked-off from the Firefox/Mozilla source code) pertains to the previous UI (non-Australis) and keeps up with all security/bug fixes that are applicable to its code base; a very familiar, efficient and fully customizable interface with a number of Pale Moon exclusive add-ons/extensions and themes rapidly growing.

    Slimjet (a browser based-off Chromium v50 that’s packed with versatile and customizable features) will support Windows XP and Vista as it contains most of their user share. Plus continues support for NPAPI plugins and conserves memory quite well with unloading idle tabs, as well as the memory optimization feature.

    LINK: https://www.palemoon.org/
    LINK: http://www.slimjet.com/

  8. Leo, what are you recommending lately for encrypting flash drives? I see a comment on another Ask-Leo question from February of this year (2016) where you say that Truecrypt has not been compromised. But I can’t find instructions on how to encrypt the entire flash/jump/usb drive. Can you do a video or two on this? Thank you.

      • I’ve stayed away from using TrueCrypt on flash drive as they can only be used on a computer where TrueCrypt has been installed by someone with admin rights. Since I might want to use my flash drive on a work, friend’s or public computer, I stick with encryption methods which can use portable programs like 7Zip (any zip file program would work). I believe AxCrypt also has a portable version. Those methods require more work than TrueCrypt or VeraCrypt, but that way you can use your flash drive on any computer.
        https://askleo.com/how-do-i-password-protect-a-flash-drive/
        http://ask-leo.com/encrypting_using_zip_files.html

        • Both TrueCrypt and VeraCrypt can be used in portable/traveler mode, but it’s a bit messy and still requires admin rights on the host machine. As you say, a password-protected zip file is probably a better option.

  9. Since Chrome is connected with IE, I’ve avoided this – the only browser I’ve trusted in years is FireFox which continually updates & has remained independent from the MsFt guys. I still do not understand these people who insist on using only MsFt products when these are the ones which are so attacked by these hackers, et.al.
    Would very much appreciate hearing comments as to why LO is not considered by many – although it’s superior to MsFt’s various Office programs … FireFox is not hacked yet people insist on using IE or now Chrome … … …

  10. A ad blocker and or script blocker. And html mail disabled. And use email provider with good spam filters. Will go a very long way to avoiding most problems.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.