As Microsoft shuts down Windows 7, security risks loom

Jan. 14, 2020
Organizations that have failed to convert to updated operating systems must move quickly

It may not rise to the level of the Y2K scare that snarled the computer world when 2000 rolled in, but the reality of Microsoft cutting its support to Windows 7 today could have real-world consequences when it comes to the security of your operating system. The fact is, once Microsoft shuts down its support of the 11-year old operating system, much like it did previously when Windows Vista and Windows XP were shelved, the company will no longer be issuing security updates. And while customers, both on the consumer and professional side, can certainly continue to run the Windows 7 software counting on antivirus tools to secure their systems, it is the collaborative effect of software updates, patches and other security software tools that ensure a secure network.

According to Microsoft, security updates for Windows 7 will continue to be released, but not to the general public. Enterprise users will be able to contract for custom support to maintain continuity in their security updates until they migrate to new operating systems. Microsoft adds that Windows 7 users can still use their computers after Tuesday, but the company warns they will be at "greater risk for viruses and malware."

The Impact

“The event of Microsoft moving on from Windows 7 this month with its End-Of-Life means vulnerabilities will no longer be patched with security updates and support won’t be available for any future bugs. Although the operating system can still be used, the vendor will not take any responsibility for any security breaches. This, in turn, means hackers will leverage the circumstance to create new targeted malware, as well as develop malware-less techniques to massively exploit vulnerable systems. Is it inevitable and it is for a fact going to happen,” warns Rui Lopes, Engineering and Technical Support Manager at Panda Security. “Not only each individual Windows 7 system on the network but effectively every network with Windows 7 systems becomes more vulnerable to cyberattacks: widespread, targeted, sophisticated – with staggering costs for individual users as well as companies of any size. Enterprise industry regulatory non-compliance is perhaps the other most significant consequence: the absence of updates and support for an operating system will likely mean mandatory audits will fail.”

Jack Mannino, CEO at nVisium says that most users should have been aware this was in the works since Microsoft had long indicated that their intended lifecycle for Windows 7 would be 10 years, as they have done with previous operating systems.

“This should not have been a surprise to anyone. The challenge is that at Windows' scale and install base, there are non-trivial consequences to ending support that will likely result in many compromises over the next decade. However, a decade is a reasonable support lifecycle for an operating system and we're better off focusing on removing security debt in our environments rather than prolonging the inevitable. Maintaining obsolete operating systems adds significant costs and security risks to both the vendor and customer,” Mannino adds.

Joseph Carson, chief security scientist at Thycotic is concerned the fall out from losing support to an OS that is used by more than one-third of PC-users globally, according to NetMarketShare, could be substantial as well.

“Companies who continue to use Windows 7 in their environment are having to make a serious decision in accepting the risk of becoming a victim of a cyber incident in the coming year. The end of support for Windows 7 is going to cause major security risks and challenges over the next few years globally for many governments, organizations and consumers.  According to Statcounter, Windows 7 is still deployed on one out of four Windows systems which means that a large number of devices are going to be without security updates. This will leave them exposed to vulnerabilities found after January 14,” Carson says.

However, Chris Morales, head of security analytics at Vectra feels the threats and impact are a bit overblown. Sure, he realizes that the software will be more vulnerable to attack, but he doesn’t think it will be catastrophic.

“For home users that want to cling on for whatever reasons, many of the potential problems could be mitigated using other tools and methods, like VPN, encryption, security software, and a good secure home router. For many enterprises, they will simply sign up for Windows 7 Extended Security Updates for the next three years of coverage. This covers anything deemed critical or important,” says Morales. “This means not much will change in the attack landscape for enterprises with the Windows 7 Extended Security Updates. Most major apps like Google Chrome browser will also continue to be supported with updates for all users.”

What to Do

So, what are organizations supposed to due to mitigate their risk of using a non-supported OS? Carson maintains that companies must accelerate the replacement of Windows 7 systems or they will have an increased risk of becoming a victim of a cyber incident, data loss, service outages or suffer a huge financial loss. Companies that continue to use Windows 7 systems after the end of support will have to perform a serious risk assessment to determine what it will take to replace those systems.

“Whether they are automated systems or human interactive means further hardening of those systems is urgent and cyber awareness training is a must for employees who continue to use Windows 7 to help reduce the risks,” adds Carson. “Companies will have to decide to limit internet access and deploy more security solutions to protect Windows 7 such as network access, application control solutions and strong privileged access management to limit privileged access to the systems. However, the only true security solution is to upgrade or cease using Windows 7."

Upgrading the organization’s OS seems to be the consensus of many IT experts, with Morales chiding that the move to another OS should have already taken place.

“An update to Windows 10 or a move to another supported OS should have already happened. A user should never use an unsupported operating system for public-facing internet use, like browsing the web or for email. It is bad practice. For most people, an upgrade should be as simple as a license key. The hardware requirements are low compared to modern hardware. Almost any PC from the last 10 years should be able to support Windows 10. That in itself I would consider incredibly old. Most users are running Windows 7 on more modern hardware simply because they like using Windows 7 and opted to. Windows 10 has been the default OS on a new PC for some time,” continues Morales. “If a user’s current hardware does not support Windows 10 or a newer OS, it is likely old hardware that doesn’t support any of the latest versions of apps either. This means not only the OS is out of date, but everything is most likely out of date, which is a much bigger problem. I’d recommend for those users to buy new hardware.”

Mehul Revankar, director of product management at SaltStack concludes that organizations remaining on Windows 7 should get an accurate inventory of all its assets, and identify all Windows 7 systems in the organization.

“Stop procrastinating and take action. Upgrade those assets to Windows 10 or later. But if you can't upgrade for one reason or another, get them off the internet at the very least, and add mitigating controls so that only authorized users have access to them,” warns Revankar. “The most likely problem is that systems will not be updated or will be slow to update. And the longer they wait, the higher the risk that this results in a costly attack."

About the Author:

Steve Lasky is a 33-year veteran of the security publishing industry and multiple-award-winning journalist. He is currently the Editorial and Conference Director for the Endeavor Business Security Media Group, the world’s largest security media entity, serving more than 190,000 security professionals in print, interactive and events. It includes Security Technology Executive, Security Business and Locksmith Ledger International magazines, and SecurityInfoWatch.comthe most visited security web portal in the world. He can be reached at [email protected].