In January 2020, Microsoft officially ended its extended support and discontinued patching of Windows 7. Despite the long lead time and repeated reminders, numbers since the COVID-19 pandemic have shown a slight uptick in Windows 7 deployments. The recent estimates show that more than 26 percent of endpoints were still running Windows 7 as of March, most likely due to organizations deploying older machines to support suddenly remote workers.
If an organization of any size is still operating systems on Windows 7, the end of support means these devices are open to potential risks, exploits and vulnerabilities, but without any security patches or Microsoft Security Essentials antivirus definitions. Once software becomes unsupported, any vulnerability found in that software will always be present. As these vulnerabilities begin to stack up, the risk increases due to the overwhelming options an attacker has to exploit systems. There is also a reduced chance that vulnerabilities are disclosed due to the unlikelihood a vendor will do anything to remedy the issue.
Organizations that hold back on upgrades are rolling the dice and will likely incur huge risk. In fact, a vast majority of threat actors continue to utilize known vulnerabilities to compromise low-hanging fruit. While the use of Windows XP has diminished over the years, when these machines are found on a network by an attacker, it immediately reveals a weakness in the attack surface. It is only a matter of time before Windows 7 discovery follows suit.
We could also start seeing an increase in services-based attacks leveraging vulnerabilities in Remote Desktop Protocol (RDP), Server Message Block (SMB), and other areas where services run as Windows 7 support terminates. In fact, recently global manufacturers reliant on internet of things (IoT) devices were hit with a malware campaign that exploited weaknesses in Windows 7 directly tied to the Server Message Block (SMB) protocol. The risk will continue to grow as third-party software products also end support for the OS.
There are also broader business advantages at risk outside of security. Organizations could miss out on important productivity gains that come with using supported software, reduced operational compatibility with partner software and the loss of interoperability with software within managed environments. Ultimately, failures in these areas could lead to a number of compliance issues with a much broader impact on the bottom line.
So, what’s the holdup on migration?
More often than not, it all comes down to disruption to operational workflow. On one hand, a small business may lack resources for a full upgrade, while a massive enterprise has a completely daunting task of migrating thousands and thousands of machines, while also having to overcome silos between security and business along the way.
While organizations will never fully be protected from vulnerabilities found after end-of-life (EOL), there are steps to mitigate threats and minimize the damage actors can do as much as possible, while security and IT teams work towards a system upgrade.
- IT and security teams need to come together and establish an audit of services and hardware connected to the network, creating a full picture of every device, status, upgrading capability and other factors.
- Minimize your attack surface by keeping all third-party software updated. While the core OS will not be supported, updates to software such as Firefox and Chrome will still be distributed. Apply all available patches as soon as possible to close that window of attack and minimize the attack surface.
- Segment your vulnerable devices on the network as much as possible. This will help contain the threat and greatly aid in remediation.
- Disable services that are often taken advantage of by attackers, such as RDP and SMB on Windows 7 devices.
While the above solutions may provide a temporary stopgap, it’s simply not worth the risk to avoid an upgrade. Given that the average time to weaponizing a new bug is seven days, IT and SecOps teams have 72 hours to harden systems before malicious players weaponize the exposed vulnerabilities. The use of Windows 7 after EOL without paid extended support leaves any organization at risk and unable to meet the 24/72 Mean Time to Hardening threshold. This increased risk increases the attack surface and leaves infrastructure vulnerable to attack. Ultimately, keeping the digital landscape up to date helps enterprises of all sizes be a smaller target from malicious threats.
Richard Melick is senior technical product manager at Automox.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.