Endpoint Security , Fraud Management & Cybercrime , Governance & Risk Management

Windows 7: Microsoft Ceases Free Security Updates

Security Experts Recommend Holdouts Review Their IT Strategy and Cloud Options
Windows 7: Microsoft Ceases Free Security Updates

Microsoft on Tuesday will offer its final, free updates and security fixes for its Windows 7 operating system as well as Office 2010. The same goes for Windows Server 2008 and 2008 R2, which also saw free support and security fixes become "end of life" on Tuesday.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Experts are urging all organizations and individuals using Windows 7 to move on - and not just for their own sake.

"Stop thinking just of yourself; remember that you're part of the online community," says British cybersecurity expert Graham Cluley. "You may not care about your computer being infected or compromised, but you're potentially adding weaponry to criminals who will target other people's computers."

Introduced in 2009, Windows 7 followed XP and Vista and stands as one of Microsoft's most popular operating systems, based on adoption. But the end of security updates for Windows 7 has been a long time coming. "After 10 years, support for Windows 7 is coming to an end on Jan. 14 in a planned activation to transition users towards Windows 10," a Microsoft spokeswoman tells Information Security Media Group.

"Following this date, Windows 7 and Office 2010 software will no longer receive updates, including security updates," she says. "To ensure that devices remain secure and to make the most of the many updated features provided by Microsoft, users should follow directions in pop-ups to upgrade to Windows 10."

As of Tuesday, Britain's National Cyber Security Center, part of intelligence agency GCHQ, recommends no longer using any Windows 7 system to access sensitive information. “The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices," a spokeswoman tells ISMG.

"We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts," she says. "They should also consider accessing email from a different device."

Windows 7: Still Popular

Organizations can still pay for so-called "extended support," but over the long term such support costs can add up, while organizations still need to pay to move to updated systems and hardware. Microsoft declined to offer specifics on how many organizations have purchased Windows 7 extended support contracts or their pricing.

"My advice would be to move away from Windows 7 as quickly as possible," says Brian Honan, head of Dublin-based cybersecurity consultancy BH Consulting. "The risk is not just that you will be running software that is no longer supported by Microsoft, but third-party applications may also not support running on Windows 7 in the future."

Like Windows XP, however, Windows 7 seems destined to not disappear, but rather to fade away over a very long period of time. "It's a case of 'slowly but slowly,'" Cluley tells ISMG. "It will be many, many years before Windows XP is erased from the internet, and even longer for Windows 7, I suspect."

Market researcher NetMarketShare, for example, reports that in December 2019, Windows 7 remained the second most-used operating system, following Windows 10, and that one-third of all desktop and laptop PCs it saw in the wild were still running Windows 7. Another market researcher, Statcounter, said that last month, Windows 7 accounted for 27 percent of all Windows operating systems currently in use.

Top 10 Most-Used Operating Systems

NetMarketShare says that as of last month, these were the top 10 operating systems it saw being used in the wild:

  • Windows 10: 48%
  • Windows 7: 33%
  • Mac OS X 10.14: 5%
  • Windows 8.1: 4%
  • Windows XP: 2%
  • Mac OS X 10.13: 2%
  • Linux: 1%
  • Mac OS X 10.12: 0.9%
  • Mac OS X 10.15: 0.8%
  • Windows 8: 0.7%

'Endangering All of Us'

In 2014, Cluley sounded warnings about the threat posed by Windows XP - not just to users, but to everyone else. "Anyone connecting a Windows XP computer to the internet ... is not only putting themselves at risk, but also endangering all of us on the internet - as their computers may be hijacked into botnets and used to spread malware and spam attacks," he said.

Same again now for ongoing Windows 7 usage. "Just like a horror movie remake it's back to haunt you again," he tells ISMG. "You thought it was bad with Windows XP? Now Windows 7 is joining the fray."

But there are signs of hope: PC sales are up, driven by businesses moving to replace Windows 7 systems with Windows 10 devices, according to both IDC and Gartner.

“The PC market experienced growth for the first time since 2011, driven by vibrant business demand for Windows 10 upgrades, particularly in the U.S., EMEA and Japan,” says Mikako Kitagawa, senior principal analyst at Gartner. “We expect this growth to continue through this year even after Windows 7 support comes to an end this month, as many businesses in emerging regions such as China, Eurasia and the emerging Asia/Pacific have not yet upgraded.”

One challenge facing organizations that are still on Windows 7 will be losing support for the applications they need to run. Google, however, has said that it will continue to support the Chrome browser for Windows 7 systems for at least 18 more months.

"We will continue to fully support Chrome on Windows 7 for a minimum of 18 months from Microsoft's end-of-life date, until at least July 15, 2021," says Max Christoff, Chrome's engineering director, in a blog post.

Options: More Than Just Windows 10

How can organizations get away from Windows 7 as quickly as possible?

Microsoft has published extensive resources to help both businesses and individuals move away from Windows 7, preferably to Windows 10.

Compared to Windows 7, Windows 10 is a much more modern operating system that includes a raft of security features, such as better built-in defenses against attacks, including Windows Enhanced Mitigation Experience Toolkit.

But organizations would do well to pause and consider the full picture, experts say, including potentially moving more systems to the cloud.

"I suggest that companies that have not moved to Windows 10 take the opportunity to review their entire IT strategy and not just react by installing Windows 10," says Honan, who heads Ireland's first computer emergency response team, IRISSCERT, and also serves as a cybersecurity adviser to the Europol - the EU's law enforcement intelligence agency.

"This may be an opportunity to look at what alternative systems and platforms you may be able to employ and reduce your dependency on legacy applications and systems," he says. "So solutions like cloud-based, software-as-a-service applications may be an effective and attractive alternative, and the migration away from Windows 7 could be an opportune time to look at these alternatives."

Short-Term Protection

For organizations still migrating away from Windows 7, the NCSC has pointed to its security guidance for obsolete platforms, which provides short-term recommendations for protecting organizations until they can transition to supported operating systems. In the interim, it emphasizes that there is no risk-free way to use obsolete products.

Upgrading isn't instantaneous, because it involves much more than just purchasing new PCs and laptops. "For many organizations, the costs are not just related to upgrading the Windows operating systems to Windows 10," Honan tells ISMG. "There are hardware costs to consider as many companies may be using old computers which cannot support Windows 10 effectively. There may be training costs in training staff on how to use the new platforms; this will also include training for IT staff to become familiar with how to support and manage Windows 10. Certain applications may need to be upgraded and/or replaced as well, thus adding an additional cost to the plan."

For organizations that simply must run Windows 7 - for example, to support legacy applications required for their business that they have not yet migrated to a new OS - Honan recommends they purchase extended support.

In addition, he recommends that organizations:

  • Segment: Place Windows 7 systems on segments that do not include core servers or systems.
  • Patch: Install the latest OS and application updates and patches available, preferably by Jan. 14.
  • Protect: Ensure anti-virus software is running on all Windows 7 systems and kept updated.
  • Restrict: Remove local administrator rights from all users of Windows 7 devices.
  • Monitor: "Ensure effective logging and monitoring is in place to identify potential attacks targeting these devices and for suspicious traffic coming from the Windows 7 devices."

But the clear impetus now is on holdouts to migrate as soon as possible while mitigating security risks in the short term, since using Windows 7 over the long term is sure to expose organizations to new, as-yet-undiscovered flaws, Carl Wearn, head of e-crime and cyber investigations for cloud-based mail management firm Mimecast, tells ISMG.

"Use of Windows 7 or any other unsupported software leaves any organization more vulnerable," says Wearn, who until last year served on the London Metropolitan Police's specialist "Falcon" team dedicated to fighting fraud and online bank scams. "This includes other organizations that link to it or use it in their supply chain as they are then more vulnerable to third-party compromise via the less protected and outdated party, the problem likely increasing in risk over time as new vulnerabilities are uncovered and unpatched."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.