Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/13/2020
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft to Officially End Support for Windows 7, Server 2008

Windows 7 and Server 2008 will continue to work after Jan. 14, 2020, but will no longer receive security updates.

The end of support is near for Windows 7, Windows Server 2008, and Windows Server 2008 R2. All of these will stop receiving security updates and technical assistance after Jan. 14, 2020.

Windows 7 end-of-support arrives more than 10 years after the OS was released on Oct. 22, 2009. When the support period ends, technical assistance and software updates via Windows Update will no longer be available. Related Windows 7 services will be discontinued over time; the Electronic Program Guide for Windows Media Center, for one, will be shut down this month.

Some services will continue to receive support. Microsoft will continue to support its Edge browser for another 18 months, terminating support on July 15, 2021, at the earliest. Google will support Chrome on Windows 7 for the same time frame, the company confirmed last week.

The end of support for Windows Server 2008 means the end of additional free on-premise security updates, non-security updates, free support options, and online technical content updates. Users are urged to migrate their Windows Server 2008 products and services to Azure to access three more years of Critical and Important security updates at no additional charge.

For non-Azure environments, Microsoft advises customers to upgrade to the latest version. Those who cannot meet the end-of-support deadline can buy Extended Security Updates to protect their server workloads until they upgrade, though some restrictions apply, it notes.

Microsoft began alerting users of the Windows 7 deadline last April, when pop-up notifications started to arrive on machines running the OS. In October, users of non-domain-joined Windows 7 Pro devices started to see similar end-of-support alerts. The idea was to push users to upgrade before the deadline or risk leaving machines vulnerable to a host of attacks. 

"Microsoft has been sounding the horn about this for a while now," notes Satnam Narang, senior research engineer for security response at Tenable, who warns threats are imminent. Attackers are "chomping at the bit" to target victims still running Windows 7 and Server 2008, he says, and "it's pretty much fair game for them to find ways to exploit vulnerabilities."

One example he points to is CVE-2019-1458, an elevation of privilege vulnerability that has been exploited in the wild and affects both Windows 7 and Windows Server 2008. Businesses should be worried about targeted zero-day attacks, Narang continues, but another concern is how attackers can build these into exploit kits and launch more widespread attacks.

Richard Melick, senior technology product manager at Automox, anticipates an increase in services-based attacks leveraging vulnerabilities in Remote Desktop Protocol (RDP), Server Message Block (SMB), and other areas where services run as Windows 7 support terminates. The risk will continue to grow as third-party software products also end support for the OS.

"As that continues to advance, the older machines with the older operating systems won't be supported as often as some of the newer ones," he explains. Many companies will go off of Microsoft's schedule and stop supporting older products. "It helps them with development," Melick says. "Why develop for operating systems that are no longer supported?"

Both experts agree companies that don't upgrade face a range of phishing and tech support scams with subject lines crying, "Your machine is no longer supported!"

"There's definitely an opportunity for tech support scammers to take advantage," Narang points out.

Downsides of the Upgrade Process
Why do organizations continue to run an operating system they know will be unsupported? A host of challenges could be to blame, Melick says.

"The biggest one is going to come down to operational workflow," he notes. As most security and IT managers are aware, any upgrade potentially disrupts workflow. Because there is so much third-party software in corporate environments, software hurdles vary across businesses. A smaller company may lack resources to do a full OS upgrade. However, doing the research and planning for a massive enterprise with 2,000-plus seats "can be daunting," Melick explains.

Larger organizations also face the issue of balance and disconnect between the business and security teams. Melick points to a client that hadn't updated its machines in years because there were so many devices to support. This made them a target.

"Do we continue to delay that update due to testing and functionality and workflow, and put us at risk for attack, or do we do the update now and deal with workflow issues and a lot of service tickets?" he says.

Experience has taught him the latter is preferable, he noted. This isn't the only issue pushing businesses to upgrade. GDPR, HIPAA, and PCI compliance requirements also apply pressure.

"If you're running a machine that's not updated, you could potentially be out of compliance," Melick adds.

Not Upgrading? What to Do Now
If your organization doesn't have the money or resources to upgrade, you're not alone – but there are steps you can take to better protect your systems and prepare for the migration.

Melick advises IT and security teams to come together and establish an audit of services and hardware connected to the network, creating a full picture of every device, status, upgrading capability, and other factors. He also advises applying all available patches as soon as possible.

"With the operating system not being updated past tomorrow, deploy all the patches," he says. "Let's close that window of attack and minimize the attack surface as much possible … that's going to probably be the easiest way to get there."

In addition to relying on endpoint protection software to detect known threats, Narang advises taking the time to train employees on phishing scams that could arrive in their inboxes after support ends.

Microsoft will likely continue releasing patches for major vulnerabilities that affect Windows 7 and Server 2008, Narang points out. When the BlueKeep vulnerability was disclosed, for example, the company released fixes not only for Windows 7 and Windows Server 2008, but also Windows XP and Windows 2000, both of which were no longer supported at the time.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
berryjohnson
50%
50%
berryjohnson,
User Rank: Black Belt
1/15/2020 | 5:50:45 AM
What after windows 7 end
Windows 7 is my favorite operating system. Not mine even most of the computer users love windows 7 end. Yes, we most of the user are running windows 10 but the user who is running still running in windows 7 can upgrade windows 7 to windows 10 operating system by the following guide.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.