Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Since the rest of the world updates their PC's, malware authors rarely focus on exploiting older versions.

Both Chrome and Windows are now in that position.

Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.



Path traversal attacks against IIS (or any web server) are still routine yet those were fixed back in the Win 2K days.

Your thought process is not correct.


That seems like pretty sketchy reasoning.

Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.


It would make sense if the cost/danger for the thieves to check every door would be prohibitive. Unfortunately, with networked computers, checking the doors is usually both riskless and effectively free.


And turning off your old door checker, just because someone fixed the vulnerability in the latest version, is probably more hassle than it's worth.


More like, continue living in a sketchy neighbourhood because all the thieves go to the newer, more polished neighbourhoods anyway.


There are still active attacks against DOS and Win98. Automated driveby attacks, just looking to increase the size of a bot farm. There are still new exploits being released against rather old systems.


Now I'm curious, how do you attack DOS? I mean, it comes without networking support, and if you have local access, you're already privileged.


You attack the networking stacks for it, those are still actively developed (mTCP was last updated Jan 2025) as businesses use networked DOS for quite a few things. A DOS networking stack consists of a packet driver, a NIC driver, and a protocol library. All of those have attack surface. NIC drivers in particular often haven't really had updates since they were first released. Because for hardware manufacturers of the time the goal was on getting people to use the hardware, not on supporting them. There are newer DOS NIC drivers than you'd think too. Realtek last I checked still makes and supports an ISA NIC.


So you are not talking about attacking old code at all, but networking stacks that are indeed actively developed? That feels like a very different ball game from attacking Win98, even if the platform they are running on top of is old.


It's a complicated space. There are attacks on both maintained and unmaintained stacks. There are definitely attacks against windows 95/98 too because people have things like mills or other industrial automation that are powered by those OSes still connected to the internet. There is a lot of SCADA[1] too that fits that bill. It's easy to think "but why wasn't this replaced!" and the answer is almost always "cost or process certification". If the operator is lucky and has good networking folks all of this is in a very very well firewalled VLAN. But, never underestimate the amount of people that are not that savvy and just have it plugged into the internet.

For anyone saying these aren't targets, no they are probably already hacked. These are the things that keep the national security folks up at night knowing an adversary has them already backdoored and set up for take down. Moreover if they execute on that they would go for maximum damage first to either create chaos, or prevent the system from being repaired easily.

[1]https://en.wikipedia.org/wiki/SCADA#Security


Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.


Imagine if this was all automated, even scripted, so even kiddies could do it, or others with almost zero security knowledge.

I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.


Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.


Everything was a zero-day at one point in time. The effort is indeed usually put in whilst it is the current version. But retying all old malware isn't effort; it is more or less the definition of script-kiddy (though state level attackers will do it too).


Those of us who actually do this stuff for a living still routinely see probes for Slammer, Zotob, Blaster and more from when we booted our computers by rubbing two sticks together.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: