Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/13/2020
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft to Officially End Support for Windows 7, Server 2008

Windows 7 and Server 2008 will continue to work after Jan. 14, 2020, but will no longer receive security updates.

The end of support is near for Windows 7, Windows Server 2008, and Windows Server 2008 R2. All of these will stop receiving security updates and technical assistance after Jan. 14, 2020.

Windows 7 end-of-support arrives more than 10 years after the OS was released on Oct. 22, 2009. When the support period ends, technical assistance and software updates via Windows Update will no longer be available. Related Windows 7 services will be discontinued over time; the Electronic Program Guide for Windows Media Center, for one, will be shut down this month.

Some services will continue to receive support. Microsoft will continue to support its Edge browser for another 18 months, terminating support on July 15, 2021, at the earliest. Google will support Chrome on Windows 7 for the same time frame, the company confirmed last week.

The end of support for Windows Server 2008 means the end of additional free on-premise security updates, non-security updates, free support options, and online technical content updates. Users are urged to migrate their Windows Server 2008 products and services to Azure to access three more years of Critical and Important security updates at no additional charge.

For non-Azure environments, Microsoft advises customers to upgrade to the latest version. Those who cannot meet the end-of-support deadline can buy Extended Security Updates to protect their server workloads until they upgrade, though some restrictions apply, it notes.

Microsoft began alerting users of the Windows 7 deadline last April, when pop-up notifications started to arrive on machines running the OS. In October, users of non-domain-joined Windows 7 Pro devices started to see similar end-of-support alerts. The idea was to push users to upgrade before the deadline or risk leaving machines vulnerable to a host of attacks. 

"Microsoft has been sounding the horn about this for a while now," notes Satnam Narang, senior research engineer for security response at Tenable, who warns threats are imminent. Attackers are "chomping at the bit" to target victims still running Windows 7 and Server 2008, he says, and "it's pretty much fair game for them to find ways to exploit vulnerabilities."

One example he points to is CVE-2019-1458, an elevation of privilege vulnerability that has been exploited in the wild and affects both Windows 7 and Windows Server 2008. Businesses should be worried about targeted zero-day attacks, Narang continues, but another concern is how attackers can build these into exploit kits and launch more widespread attacks.

Richard Melick, senior technology product manager at Automox, anticipates an increase in services-based attacks leveraging vulnerabilities in Remote Desktop Protocol (RDP), Server Message Block (SMB), and other areas where services run as Windows 7 support terminates. The risk will continue to grow as third-party software products also end support for the OS.

"As that continues to advance, the older machines with the older operating systems won't be supported as often as some of the newer ones," he explains. Many companies will go off of Microsoft's schedule and stop supporting older products. "It helps them with development," Melick says. "Why develop for operating systems that are no longer supported?"

Both experts agree companies that don't upgrade face a range of phishing and tech support scams with subject lines crying, "Your machine is no longer supported!"

"There's definitely an opportunity for tech support scammers to take advantage," Narang points out.

Downsides of the Upgrade Process
Why do organizations continue to run an operating system they know will be unsupported? A host of challenges could be to blame, Melick says.

"The biggest one is going to come down to operational workflow," he notes. As most security and IT managers are aware, any upgrade potentially disrupts workflow. Because there is so much third-party software in corporate environments, software hurdles vary across businesses. A smaller company may lack resources to do a full OS upgrade. However, doing the research and planning for a massive enterprise with 2,000-plus seats "can be daunting," Melick explains.

Larger organizations also face the issue of balance and disconnect between the business and security teams. Melick points to a client that hadn't updated its machines in years because there were so many devices to support. This made them a target.

"Do we continue to delay that update due to testing and functionality and workflow, and put us at risk for attack, or do we do the update now and deal with workflow issues and a lot of service tickets?" he says.

Experience has taught him the latter is preferable, he noted. This isn't the only issue pushing businesses to upgrade. GDPR, HIPAA, and PCI compliance requirements also apply pressure.

"If you're running a machine that's not updated, you could potentially be out of compliance," Melick adds.

Not Upgrading? What to Do Now
If your organization doesn't have the money or resources to upgrade, you're not alone – but there are steps you can take to better protect your systems and prepare for the migration.

Melick advises IT and security teams to come together and establish an audit of services and hardware connected to the network, creating a full picture of every device, status, upgrading capability, and other factors. He also advises applying all available patches as soon as possible.

"With the operating system not being updated past tomorrow, deploy all the patches," he says. "Let's close that window of attack and minimize the attack surface as much possible … that's going to probably be the easiest way to get there."

In addition to relying on endpoint protection software to detect known threats, Narang advises taking the time to train employees on phishing scams that could arrive in their inboxes after support ends.

Microsoft will likely continue releasing patches for major vulnerabilities that affect Windows 7 and Server 2008, Narang points out. When the BlueKeep vulnerability was disclosed, for example, the company released fixes not only for Windows 7 and Windows Server 2008, but also Windows XP and Windows 2000, both of which were no longer supported at the time.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
berryjohnson
50%
50%
berryjohnson,
User Rank: Black Belt
1/15/2020 | 5:50:45 AM
What after windows 7 end
Windows 7 is my favorite operating system. Not mine even most of the computer users love windows 7 end. Yes, we most of the user are running windows 10 but the user who is running still running in windows 7 can upgrade windows 7 to windows 10 operating system by the following guide.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...