For those just reading the headline: Windows 7 users will be able to run Firefox until at least September 2024 through the the Extended Support Release all existing Firefox users on Windows 7/8 will be migrated to.
Newer web technologies won't be supported, but the browser will keep receiving security updates for another year.
Mozilla presumably collects this operating system version data on new installs of Firefox upon first run.
I wonder how the analytics of Firefox forks are tracked. If they can even be tracked.
Tor Browser, LibreWolf et al privacy friendly forks, block Mozilla's data collection on startup and they spoof the user agent to Windows NT 10.0 regardless of if you run them on Windown 7, 8, 10 or 11.
Neither Edge nor Chrome support Windows 7, so it's not surprising a lot of Firefox users are on Windows 7 - because the other options are no longer available on Windows 7
Because you haven't received security updates in three years and are one bad HTTP GET from becoming a botnet node or ransomware victim. I loathe W10 but I loathe being hacked more.
That's a shame. Windows 7 is the last good Windows.
I'm not convinced that later versions of Windows have some incredibly useful APIs that cannot be called dynamically and need to be used unconditionally.
This chase after new APIs also makes the program harder to support in ReactOS and Wine.
Running a 14 year old operating system in the world we live in today is dangerous and stupid.
If you don't like newer Windows, that's fine, don't use Windows. But operating systems that old should be relegated to airgapped machines for historical purposes.
> Running a 14 year old operating system in the world we live in today is dangerous and stupid.
Forcing an upgrade treadmill on your users just to shake them down for a few extra advertising dollars in the world we live in today is dangerous and stupid.
> If you don't like newer Windows, that's fine, don't use Windows.
I don't believe that Windows 11 was at all necessary to achieve this security nirvana.
Well, Windows 10 is necessary currently. At the moment 11 doesn't offer any real improvements above it yet from a security standpoint. But obviously Windows 10 only officially has about two years of life left, though I expect Microsoft to extend it.
Last year I found an old xp machine that I wanted to show to a kid to learn to mess with.
Took me hours to get Firefox because everything else refuses to work. That was because I remembered the Mozilla download site directly.
Then, programs screaming end of support and security and vulnerability and what not.
WHAT IS THE THREAT MODEL HERE?
I come from a place which got high speed internet only 2 years ago. Until then, EVRRYONE USED TO DISABlE WINDOWS UPDATE, because data was precious and guess what happened, nothing.
You actually believe if I use Firefox with ubo on windows 7 that suddenly malware would jump on my machine, turn it into a bot and destroy data?
What about using office tools like excel or say libreoffice.
If a windows 7 or xp is connected to internet and you don't use a browser, will it still get infected?
> You actually believe if I use Firefox with ubo on windows 7 that suddenly malware would jump on my machine, turn it into a bot and destroy data?
https://www.cvedetails.com/cve/CVE-2011-5046/ is a remote-code-execution attack that works via setting the height of an IFRAME because the graphics device interface doesn't vet the size of the resulting buffers generated to support that IFRAME.
It won't just jump on your machine, but it is a threat you may be continuously vulnerable to for every website you choose to access with an insufficiently-patched Win7 install. And with Win7 now EOL, there are fewer eyes on it looking for vulnerabilities that will report those vulns.
The world we life in is dangerous and stupid. A always on, surveillance first, roll it out while it's red Schrott OS might bei alot worser than old abandon wäre that at least doesn't actively try to deprecate perfectly fine hardware.
I felt that explaining why water is wet was probably not worth my time, but someone suggested if I needed something very basic explained, I should try ChatGPT. Here you go:
Security vulnerabilities: Operating systems, like any software, are prone to security vulnerabilities. As time passes, these vulnerabilities become more apparent and are exploited by hackers and malicious actors. A 14-year-old operating system lacks the latest security updates, leaving it highly vulnerable to various cyber threats, including viruses, malware, and hacking attempts. Security patches and updates provided by the operating system developer help address these vulnerabilities, but they are typically discontinued for older versions.
Lack of support and compatibility: As technology advances, software developers focus their efforts on creating applications and tools compatible with the latest operating systems. By running an outdated operating system, you severely limit your ability to use modern software and benefit from the latest features and improvements. Moreover, software developers and tech support teams usually stop providing assistance and compatibility updates for older operating systems, leaving you stranded if you encounter any issues.
Incompatibility with newer hardware: Old operating systems may lack the necessary drivers and support for modern hardware components. This means you may have difficulties installing and using new devices, such as printers, scanners, or graphics cards. As hardware manufacturers continue to innovate, they prioritize compatibility with up-to-date operating systems, making it increasingly challenging to integrate old systems with new hardware.
Missing out on advancements: Operating systems have come a long way in the past 14 years. Newer versions offer significant advancements in terms of performance, stability, user experience, and productivity features. By sticking to an outdated operating system, you miss out on these improvements, making your computing experience less efficient, less secure, and less enjoyable.
Lack of software updates and features: Older operating systems no longer receive software updates, bug fixes, or new features. This lack of support means you won't benefit from improvements that enhance usability, introduce new functionalities, or address software issues. It also restricts you from accessing the latest applications and services that may require newer operating system versions.
Compliance and legal concerns: Depending on your use case, running an unsupported operating system could lead to compliance and legal issues. Organizations, particularly in regulated industries like finance or healthcare, are often required to maintain up-to-date and secure systems to protect sensitive data. Failure to comply with these regulations can result in penalties, loss of reputation, and legal consequences.
It's crucial to keep your operating system up to date to ensure the security, compatibility, and functionality of your computer. By running a 14-year-old operating system, you expose yourself to unnecessary risks and miss out on the benefits of the advancements made in recent years. It's generally recommended to upgrade to the latest supported operating system or a version that is still receiving security updates to ensure a safer and more productive computing experience.
> drive-by system takeover isn't on your threat list?
How would that "drive-by system takeover" happen?
AFAIK, Windows 7 came with its network firewall enabled by default, so most services wouldn't be exposed to the network. And that network is often a local network, with another firewall separating it from the rest of the Internet. For many users, the only exposed attack surface would be the web browser itself.
Firefox is I believe the last browser here to announce dropping Windows 7, but a ton of web-connected OS features in Windows 7 use Internet Explorer to load content, and dangerously outdated IE at that. At least with Windows 8, also a bad idea, many of those connected features use the legacy Edge engine which is (marginally) better.
Nope. The machine's behind a router and its own firewall. Most JavaShit is disabled in the web browsers. Why would a drive-by attack be in my threat model?
There's a lot more ways to exploit a Windows OS than JavaScript if you load websites at all. We won't even get into "if you ever read an email or open a document".
Sure, fonts local to my machine. Remote fonts can go to hell, and I've likewise got cookies and JavaShit all blocked as emails go because WTF does email need them for?
Seriously, my threat model doesn't include anything that updates claim to guard against. I'm not a fucking enterprise server, nor does any government specifically want my shit. Try arguing for me to update my router before talking about the virtues of Windows updates, at least that might alleviate random port scans and the like which are in my threat model.
I'm far more likely to get pwned by some service getting hacked and leaking my shit rather than /me/ getting hacked. People who scream at me that EOL Windows is dangerous can go pound sand, because they have no clue WTF they're crying about.
iframes are purely an HTML element. Of course, this flaw is patched in the latest Windows 7, but it's a great example of the potential risks nonetheless.
I'm no windows sysadmin but I think windows 10 is a big step up in terms of security and corporate administration, from my distant memories of being in IT.
The Firefox data is interesting. It has been years since I daily drove a machine with 8 gigs of RAM which is 33% of their current users. Been even longer since it was a 32 bit machine, which is 15% of their current users. Win7 is the second most OS, followed by MacOS other as third. Linux is one of many at the bottom in the chart despite it being the default in (almost?) every distro.
Makes me wonder what kind of profile is the common Firefox user. A corporate shop where the IT head insists on Firefox? The browser you install for your parents and tell them to only use this icon? I have seen FF and Chrome on the free computers at my local library.
Personally on Firefox since I got into an open source.
In my relatively short experience developing an open source browser extension, Firefox users are far more active than Chrome users, which makes sense given that for most users, Chrome is a default, while Firefox is a choice. They're much harder to please, but the analogy that comes to mind is that in terms of submitting tickets and issues, they're like the linux of browsers.
This allows Mozilla to trim away some of the cruft and have more time available to focus on actually improving Firefox for people living in this day and age. There will always be someone who feels left behind but to me this decision is a no-brainer.
If this means they'll have more resources to fix the horrible video streaming battery usage from Firefox running on MacOS... great.
Intel MBPs battery just goes from 100 to 0 when you stream a video call. Honestly even on an M1 Firefox uses a lot more battery than Chrome or Safari.
Makes it hard to recommend Firefox to people.
Now... as for people still running an OS from 2009... I don't have any comments on that, other than to say it's really hard to care about what people running a 14 year-old OS want. Imagine all the hardware is pretty much just running on luck at that point.
Remember how shitty it was to have to support IE6? And that was only really for like 10 years.
I keep hearing this, but my experience has been the inverse.
I have statically compiled binary here running from RHEL AS 2.1 (2005) running on el7, it would probably run on newer releases I just haven't tried it.
I get -all- kinds of bullshit even trying to get a same-age winamp (5.666) working on a modern windows.
I run Winamp on Windows 11 and the only issue I've had thus far is it doesn't behave nicely with screen scaling above 100%. It otherwise runs perfectly fine just like on any other version of Windows.
If you want to get existential, why should Mozilla support users on any non-free platform? I imagine they're able to justify Windows because of the huge user base justified the additional engineering effort. The blog uses "we're the only browser still supporting Windows 7" as an excuse to stop supporting it, but to me that same sentence is also an opportunity and maybe even a moral argument to keep supporting older hardware/software. If for-profit entities won't do it and Mozilla is all that's left, what happens to those users when Mozilla backs out?
This may or may not be relevant with Windows 7, but I think the size of the user base is only loosely linked to the official software EOL. I still use an older MacOS release because software and hardware I depend on don't support newer revisions. Coincidentally Mozilla also just announced ending support for older MacOS versions. It almost seems like they're trying to divert eng resources from browsers to their other projects. Mozilla's strategy is super perplexing to me.
Windows 7 users are a subset of "us all". If anything they should be focusing on FF users who don't have any remaining alternative for a modern browser. They're the ones whose internet access is most at risk.
People who refused the free 7 -> 10 upgrade aren't an oppressed minority; they're the infosec equivalent of anti-vaxers. Why should Mozilla support you if you refuse to maintain your computer?
why should Mozilla let Microsoft or anyone else dictate what they support?
I agree that Windows 7 should be dropped, but only because its quite old, not because Microsoft has dropped support for it. Frankly Windows 7 is better than Windows 11, I think many would agree with that.
It's a dependency, and unless you're going to devote resources into testing and proving that support on your own, it doesn't make sense to extend it past what the dependency's support lifecycle is.
Which is why most places are dropping W7 this year. Microsoft's last extended security update was this year. The age is kind of irrelevant, if Microsoft wanted to support it for another 5 years, then places like Mozilla would continue as long as people used it.
> Frankly Windows 7 is better than Windows 11, I think many would agree with that.
I would not. Windows 10 has improvements to the compositor, scheduler, settings and seemingly other things that make it faster in many applications, even on low resource systems. It has other features (like HDR, DirectML) that make it far better for some more cutting edge apps.
One could argue the "stock" config of Windows 10 and 11 is really trashy... Which is true. But its not really a fair argument, as OEMs loaded Windows 7 systems with bloatware (where Microsoft is doing more of that these days).
is this a joke? ever tried user management with Windows 10/11? its a hellscape of clicking through the Control Panel, the Settings app, and countless crosslinked pages with no rhyme or reason. same for microphone levels. same for device management.
Long live the PowerShell. Yes, old control panel was much more manageable. Most of the important settings have been hidden from the end-user these days.
I am normally a Linux or MacOS user exclusively, but recently I reinstalled Windows 11 on my somewhat recently purchased Lenovo Yoga 7i. I tried to get as far as I could getting as much of my configuration codified with PowerShell in a git repo[0].
I got really far with it and the end result was super nice, I thought! But a lot of the stuff I wanted was very deeply buried.
Also, the defaults that Microsoft assaults Windows users with are insane! I can't believe what Microsoft gets away with.
And you still can't open multiple instances of the settings app at the same time. God forbid you want to check your network settings and printer settings at the same time when trying to troubleshoot an issue with a network printer.
Aside from potential security issues newer versions of windows always provide new APIs and changes to old ones. Keeping support requires keeping track of that and testing, which costs resources.
There is actually dilemma about potential security issues; since the development has been stopped, no new features are introduced and hence no new bugs.
Windows 7 is quite battle-tested.
Can the system be so stable that there aren't security issues anymore?
On the other hand, one is too much if it is not fixed.
> windows always provide new APIs and changes to old ones
I don't think that is visible or significant. Windows changes APIs but always provides backwards compatibility. It is the major reason why it is dominating in many industry areas. You can run Windows 2000 apps in Windows 11.
Unsupported operating systems receive no security updates and can be dangerous for you to use.
I see that the paranoia-FUD pushed by the forced-obsolescence corporate-authoritarianism crowd has infected them too.
Looking at how many new vulnerabilities are being found in newer and increasingly complex (often for zero benefit), while at the same time also more user-hostile software, should make you see what they're really trying to do. Software that has been around for a long time has gotten far more bugs beaten out of it than the new stuff, and due to the way the industry is going, it will only get worse.
Fortunately there's a huge and growing community which has forked Firefox and continued making functionally-equivalent versions for older OSs.
As the old saying goes: "There are known knowns, known unknowns, and unknown unknowns."
Look at the truth yourself if you don't (or don't want to) believe:
The problem with old OSes not receiving security updates is that they will be vulnerable to new security vulnerabilities. Having a smaller attack surface (like older OSes did) is important for security. But ultimately, older, unpatched OSes are trivial to hack, even using an off-the-shelf toolkit like metasploit; attack surface size be damned.
Also, a reason why there are fewer CVEs for older OSes is that we've gotten better at finding exploits and we care more about security because basically every system is networked now. In addition, people are still hacking older versions of Windows [1], they're just not filing CVEs.
In conclusion, even with the smaller attack surface, it seems silly to claim that a system written without any modern security mitigations (such as ASLR or W^X, which try to make stack overflows not trivially exploitable), suffering under the weight of years of unpatched vulnerabilities, is more secure than a modern system.
There is a big difference between win9x and modern battle hardened OSs that were sitting on the modern internet for a decade. As the parent points out for windows, and its similar for linux, the security exploits are largely in _NEW_ code being rewritten rather than the code which is being tossed, hence the recent huge privilege escalation bug in the linux kernel last week.
So, yes its planned obsolescence particular when random buffer overflow/etc kinds of bugs get found in these older OSs fixing them isn't some huge lift for ms/whoever since most of the time its just a one line fix. And in the cases where the bug exists across multiple versions, its likely because its old untouched code so fixing it in the newer OS also fixes it in the older ones if someone figures out how to `git cherry-pick` or equivilant.
I've said it before and I will say it again, the major OS providers should be on the hook for security fixes for the lifetime of the product its been licensed to run on. That means if I want to play games on a 25 year old computer, i shouldn't have to worry about whether some 10 year old bug means I'm going to be exploited the second someone passes an image over that exploits a bug in the jpg decoder.
In addition, people are still hacking older versions of Windows [1], they're just not filing CVEs.
That's because there's little value in doing so, and as that article shows, it's also very difficult to, due to the tiny attack surface. The exploit shown there requires things that people wouldn't normally do (or even find it easy to, due to NATs) even with a newer version --- like exposing a share over the Internet --- and there have already been plenty more exploits found in the file sharing code of newer Windows too.
I agree that the "BUT WHAT ABOUT UPDATES?!" hysteria is weird [1].
But realistically Windows 7 has a very small user base remaining, and an even smaller part of that uses Firefox. So what do you want Mozilla to do? Keep wasting resources on CI, testing, coding shims for missing OS features, and making releases for the benefit of the 12 people worldwide who depend on the W7+Firefox combination?
The hysteria is of course propagated by those who stand the most to benefit from it.
Keep wasting resources on CI, testing, coding shims for missing OS features, and making releases for the benefit of the 12 people worldwide who depend on the W7+Firefox combination?
There's no need to target specific OS versions. Yes, MS has added new APIs, but the old ones are still there and function perfectly fine; and chances are that the users on W7 are not going to care about any new features anyway, so if Firefox doesn't have the same features when running on W7 vs. a newer version, it doesn't matter.
I have written apps that will run on anything from Win95 to 11. A minimalist web browser happens to be something I've been working on too.
Microsoft's backwards compatibility its is greatest advantage, but only if you take advantage of it.
I'm to lazy to dig them up, but yes, if you look at the python change they applied to break win7, or the firefox change required to break winXP they both were like 20 lines of code that largely had sat untouched for years and provided some api shimming.
So it actually takes effort to remove support for these OSs, and generally its better to just let them decay if the project can't be bothered to keep a CI machine running than give your users the middle finger.
So, yah, they deserve the ire people direct at them.
Newer web technologies won't be supported, but the browser will keep receiving security updates for another year.