Is an up-to-date browser secure on an out-of-date OS?

Do not use an outdated OS, even with a modern browser.

Assuming that after that day I still use an updated browser, is it true that I'm still safe?

No, you cannot avoid browser-based security holes only by updating the browser. There are a few reasons for this. Primarily, the browser is not entirely self-contained. It makes use of operating system libraries, for example the system memory allocator. This allocator is designed to mitigate various memory corruption-related security issues. If the allocator is not kept up to date, memory exploitation bugs may be easier to perform against the browser, no matter how up to date the browser is.

Another reason is that browser security often relies on OS sandboxing features. A powerful browser exploit must be combined with a so-called sandbox escape. How easy that escape is depends on how secure the operating system is as well as how secure the browser is. By using an outdated operating system, your browser is being protected by out of date and potentially vulnerable security features.

Can it "patch" the OS-based security holes?

No. Patching operating system vulnerabilities requires elevated privileges, which a browser does not have. Even if it did, browsers are not designed to modify system settings or system files. There is no extension or web page you can go to that is able to patch security vulnerabilities in your OS.

Minor question: typically, how long would the browsers stop supporting abandoned OS?

Browser vendors typically publish when they will stop officially supporting a particular operating system. After that point, changes made to the browser that break on older systems will no longer be considered bugs and may not be fixed. Programs typically continue running on older systems for a very long time, however. They only stop working when they begin to rely on newer system APIs that aren't present in older versions. This is relatively rare. A browser should be able to run on an outdated operating system for many years, albeit not very securely, and without official support from the vendor. Most likely, as it begins to rely on newer and newer APIs, features in the browser will just start breaking one by one (especially security-related features) until it eventually does not start up at all.


One benefit of the newer operating systems, like Windows 10 over Windows 7, is that they have more advanced features built in to the operating system to protect against entire classes of vulnerabilities.

There have actually been examples of web browsers being more secure on Windows 10 than Windows 7 even though Windows 7 is still supported! See for example this Google security vulnerability disclosure.

There was a vulnerability in Chrome, but Google's researchers believe that it was only exploitable in Windows 7 due to an additional vulnerability in that version of Windows. The additional protections in Windows 10 protected the system despite the browser vulnerability.

To answer your question about how long the browser will support legacy operating systems: Firefox for example supported Windows XP and Windows Vista until June 2018, which was well after the end of support dates for those operating systems (2014 and 2017 respectively). In their announcement, they claim to have ended support because the operating systems had known exploits which made it difficult to maintain Firefox.

Chrome supported Windows XP and Vista until version 50, which came out in April 2016 (they stopped supporting Vista before Microsoft did!)


Oh goodie a surface area question.

The surface area of attacks against the OS via the browser varies wildly with the browser. With Internet Explorer, the surface area is vast. On the other hand, Firefox mostly uses its own decoders for everything, crushing the surface area down to only a few pieces. In any case, the TCP stack, DNS, and the font rendering engine remain attack targets. It is unwise to assume the attacker will not select a vulnerability that will actually work, and I see GDI+ remote code execution vulnerabilities every few months almost like clockwork.

Don't do it man. At least not on Windows. On Linux we can do exotic things that make shellcode not work that would at least make the attacker have to target you specifically. But if you haven't done them don't do it on Linux either.