Can someone who has knowledge about this explain how a PC with "unsupported OS" will actually get attacked just by web browsing and being connected to the internet? Your PC will always be behind NAT, it'll never have a public IP, therefore someone port scanning it can be ruled out unless it's maybe some infected device on the local network? It's normal in modern web browsers that you can just break out of the javascript sandbox and get OS level access by running an OS that hasn't been updated for a few years? If you're running an exe that exploits some known userspace security issue of older OS versions how likely is it that this exe doesn't have any other malicious code that'd cause issues even on an up to date OS?
If you open a browser, you expose yourself to other servers. Same with opening files you download. Plus, with exploits like NAT slipstreaming, your computer can be exposed to arbitrary packets from anywhere on the internet as soon as any device you own loads and ad.
Microsoft at some point had a bug where a single packet could take over the entire kernel. I think it was a bug somewhere in the IP stack (something related to fragmentation in IPv6 I think?). Linux had similar issues.
If the built-in JPEG viewer or h.264 decoder or whatever component you use contains a bug, your computer can get infected. That also goes for things like preview generators and file indexers that run even if you don't open the file.
As much as the web seems to have consumed everything, there are still plenty of files people open.
In practice, you'll probably be fine as long as you keep your browser up to date and use up-to-date third-party software to open most files. At some point Chrome and Firefox stop supporting your system, though, and that's when infection suddenly becomes real easy.
A lot of these are non-exe files, like images/video, crafted to execute arbitrary code through some bug in outdated software that opens them. Could be a web browser or something else. It does take a while for an OS to be so old that browsers don't support it anymore, but sufficiently old ones are vulnerable to known spectre exploits breaking out of the JS sandbox for example. Or random other browser features can be exploited.
Also, Wannacry is a good example of a LAN attack reaching further than you might expect. Or there are various conditional ways to breach the NAT, one of them simply being NATless ipv6 with a misconfigured firewall.
Microsoft might bluff a bit and actually backport fixes for very serious issues, like how Wannacry was patched all the way back to XP. Maybe Win10 is fine for several years, but the real problem is that you don't know how vulnerable you are with each passing year.
With outdated browsers it does make senese. A bit more surprising is the image or video decoding exploit, considering that I'd assume those would usually be done in hardware rather than by some userspace or OS level code.
Hardware transcoding still involves software, plus the hardware itself can be vulnerable. It's not meant to act as security. But anyway, it's also very hit-or-miss. The drivers need to support it, and even then the software might not use it.
One random thing that ticks me off, Google Meet insists on using VP8/VP9 because they invented it, which has way less overall support for hardware transcoding. That's why it uses so much more CPU on many devices than Zoom etc which use the more common H.264.
1. Disconnect that computer from the internet.
2. Are happy to have your computer infected and join a botnet.