The Pending Windows 7 Vulnerabilities Your Org Needs to Prepare for, Now
Preparing for the Windows 7 Sunset
Support for Windows 7 is ending. That much is certain. After January 14, 2020, free technical assistance and software updates from Windows Update will no longer be available for the product, although support will be available to Enterprise and Microsoft 365 customers who can buy security updates on a per device basis.
However, we can also be certain that bad actors are already preparing to attack Windows 7 users who do not transition to Windows 8 or 10 after the sunset date, using existing (and yet-to-be-discovered) Windows 7 vulnerabilities.
In fact, that’s exactly what happened when extended support ended for Windows XP in 2014. The industry saw a surge in malware designed to attack unsupported Windows XP PCs, including the worldwide WannaCry ransomware attack in 2017. To its credit, Microsoft took the unusual step of releasing security updates for unsupported Windows operating systems like XP and Windows 2003, helping to contain the impact of the malware. The attack underscored the ongoing vulnerability of Windows operating systems after security patches, bug fixes and other forms of support finally end.
Obstacles to Upgrades
So, does this ensure that users will be prepared for the Windows 7 sunset?
If history provides a guide, probably not, at least for many users. As late as May 2017, around 60% of the 220,000 ATMs in India still ran Windows XP. In the same way, about 40 million devices are still running Windows 7 as of the middle of 2019, and their market share has remained steady throughout the year at about 35%. It’s a safe bet that the Windows 7 sunset date will arrive with tens of millions of users still vulnerable to all manner of attacks.
There are a number of reasons why companies might decide to remain with their old Windows 7, even in the face of potential vulnerabilities. Cost will always be an issue, not only for the initial license fee but also for any installation and implementation expenses. Looking at their budgets, some IT departments might feel that existing firewalls, anti-virus defenses and patches would be sufficient, at least for the time being.
Other companies might have privacy concerns about the increased communications involved with an upgrade to Windows 10. Microsoft’s Compatibility Telemetry service sends technical data from a PC to Microsoft on a regular basis. Although this service can provide bug fixes and help improve PC performance, some users object to having their PC being constantly monitored by Microsoft. (The service can be turned off.) Ironically, those users who are concerned about privacy and choose not migrate to Windows 10 will be the very ones who will be more vulnerable to threats.
Finally, deployments of new versions of Windows in enterprise environments require a large amount of planning. This includes testing the new operating system for compatibility with legacy systems and applications, both within the company and with suppliers, partners and business associates. It also includes identifying machines that need to be upgraded or replaced, developing a timeline and budget for upgrades, and implementing new security controls to separate critical systems from Windows 7 machines that cannot be upgraded or removed. In addition, companies will need to consider the resources, time and cost of training required for employees to learn the new operating system.
The Motto? Be Prepared.
As with any potential malware threat, the best approach is a proactive one. Now is the time to migrate to Windows 10, not at the last minute when unexpected issues and problems might arise.
For users that have no immediate plans to migrate, they should monitor and protect their PCs, networks and system even more diligently than they have before. This includes regular scans of PCs, systems, networks and data stores.
For users undertaking a migration in the future, be sure to validate that the data being backed up is clean. You don’t want to transfer data from unsupported systems that might carry malware. This data is vulnerable and will continue to be vulnerable even in a new environment.
Also, choose a malware hunting and detection tool that is independent of any particular operating system and fully compatible across multiple environments. If the operating system is infected, then the data gathered from end points running on that operating system cannot be trusted.
Windows 10 has been called “the last version of Windows” by Microsoft evangelist Jerry Nixon, with the expectation that this version will be supported by constant updates, at least for the foreseeable future. In the meantime, Windows 7 users should be prepared one way or the other for when the Microsoft sun finally sets on their operating system.
Infocyte is an easy path to implement EDR or MDR for mid-size organizations. Learn more from Forrester's Now Tech Report here.
Interested in Sunburst and how to address compromises on your network?
Test out Infocyte's endpoint detection and response platform for free with our community edition: