No. Legacy Update is intended to help you install security patches Microsoft previously released for your operating system, in addition to enabling access to functionality that has become inaccessible due to modern internet security requirements. It is not a replacement for a currently supported operating system, which includes the latest security advancements, and regularly receives fixes for newly discovered flaws.
Operating system security evolves over time - every version of Windows comes with new advancements in security that can’t simply be applied as an update on top of a prior version. Windows 11 is more secure than Windows 10; Windows 10 is more secure than Windows 7; etc. Current operating systems you should consider switching to for daily use include Windows 11, or a current Linux distribution.
We strongly recommend using antivirus software such as Microsoft Security Essentials on your legacy Windows device, and not using it to log into personal accounts. Should you find that your device is infected, we recommend disconnecting from the internet until you can remove the infection, or reinstall Windows.
Remember: Even if you are sure there is no valuable information stored on your legacy device, it can still be used as an entry point to find other vulnerable devices on your network. If you are concerned by this, you should take measures to isolate/airgap the system, such as by placing it behind a separate router.
So what will actually happen?
You may have heard a myth that old versions of Windows will become infected by simply being turned on and connected to the internet. This is how some malware, known as worms, spread in the 1990s and 2000s, but is mostly no longer possible today. Modern routers and many internet service providers (ISPs) use Network Address Translation to allow many devices to share a public IP address. This prevents attacks that occur due to worm-like port scanning.
In our experience from the entire time Legacy Update has existed, we have not seen reports of a legacy Windows device becoming infected. Current malware authors are aware that the user base of earlier versions of Windows is now very small, and not worth the added effort to infect. Typically, malware campaigns last a few months to a few years at a time, so older malware is unlikely to still be active. However, this situation is still possible to change at any time.
Exposing a program running on your legacy device to the internet via port forwarding or DMZ host is not recommended. Old software has known security vulnerabilities, which are far easier to exploit when exposed to the public internet. Please note that programs may create temporary port forwarding rules on your router by using Universal Plug and Play (UPnP). Peer-to-peer software such as online games may do this. Additionally, there are known vulnerabilities in Windows’s core networking system, such as CVE-2024-38063, which do not have an official fix for Windows 8.1 or earlier.