Tomorrow, Microsoft will end regular update and patch distributions for Windows 7, leaving those without preparations in place at risk. Security experts commented below on this news and what is best strategy for companies still using Windows 7.
Tomorrow, Microsoft will end regular update and patch distributions for Windows 7, leaving those without preparations in place at risk. Security experts commented below on this news and what is best strategy for companies still using Windows 7.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Windows 7 will keep working come January 15. Nothing will change overnight. It is true that Windows 7 will be more vulnerable to attack. That is the expectation. But I don’t think the actual impact will be catastrophic.
For home users that want to cling on for whatever reasons, many of the potential problems could be mitigated using other tools and methods, like VPN, encryption, security software, and a good secure home router.
For many enterprises, they will simply sign up for Windows 7 Extended Security Updates for the next three years of coverage. This covers anything deemed critical or important.
Which means not much will change in the attack landscape for enterprises with the Windows 7 Extended Security Updates. Most major apps like Google Chrome browser will also continue to be supported with updates for all users.
For everyone else, an update to Windows 10 or a move to another supported OS should have already happened. A user should never use an unsupported operating system for public facing internet use, like browsing the web or for email. It is bad practice.
For most people, an upgrade should be as simple as a license key. The hardware requirements are fairly low compared to modern hardware. Almost any PC from the last 10 years should be able to support Windows 10. That in itself I would consider incredibly old. Most users are running Windows 7 on more modern hardware simply because they like using Windows 7 and opted to. Windows 10 has been the default OS on a new PC for some time.
If a users current hardware does not support Windows 10 or a newer OS, it is likely old hardware that doesn’t support any of the latest versions of apps either. This means not only the OS is out of date, but everything is most likely out of date, which is a much bigger problem.
I’d recommend for those users to buy new hardware.
Microsoft’s decision to stop support for Windows 7 presents multiple opportunities for attackers to exploit ordinary users. Especially given that the operating system is still popular. In December 2019, 26% of Windows users have Windows 7 installed, according to Statcounter. When a new zero-day vulnerability (the so-called 0-day) is discovered by attackers, the consequences are countless. For example, the popular cyberattack exploit EternalBlue and when hackers used the WannaCry network worm to infect a web of computers.
At the same time, attackers can take a different path, for example, stealing personal account data and passwords, infecting the system with banking Trojans; specialized banking trojans that are designed to steal account data from electronic banking systems, electronic payment systems, plastic cards, etc. We note that such data is lucrative and attractive on the darkweb. To reduce the risk of being attacked, we recommend that you use protection tools, download files only from official sites, carefully treat any attachment files received by e-mail, and update the software on your PC. Do not forget to back up all important files to a separate hard drive, and for all accounts enable two-factor authentication.
The End of Life means that Microsoft will no longer provide security updates like the ones listed below. This will increase the risk assumed by those organizations that continue to run Windows 7 or 2008 and we expect attackers will begin actively looking for those operating systems as a \”soft spot\” for a compromise. For instance, shortly after Windows XP went into End of Life, we saw widespread exploitation with the WannaCry campaign. While Microsoft did eventually release security fixes for XP, there\’s no assurance that the same would occur with Windows 7 if there were a similar campaign today. With the concerns around last year\’s potentially \”wormable\” BlueKeep (CVE-2019-0708) and new vulnerabilities discovered every month, this is not a time to let your systems go without security patches.
If an organisation is running Windows 7 past Tuesday, January 14th, they are putting their company and staff data at risk, as well as that of their suppliers, partners, and customers, because security patches will no longer be available. Many businesses are still running Windows 7 because they’ve been slow to act, hadn’t seen it as a priority, or thought of it as too much of a daunting challenge to upgrade all their systems. Daunting as it may be, we’re now at the stage where the best option is to upgrade. However, if businesses cannot and have made arrangements with Microsoft to pay for continued Windows 7 patching support, it is critical that they make sure their patch management system will be able to apply them.
It is not an impossible task, however. IT teams can and should be taking advantage of automation tools to assist with the migration, and invest in ongoing endpoint management to make sure that these systems are continually up to date without the team needing to break their backs. Businesses should prioritise gaining visibility over all their systems so they can be 100% sure that each one is secure.