Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

0patch Promises Support for Windows 7 Beyond January 2020

Windows 7 and Windows Server 2008 will officially reach end-of-support on January 14, 2020, but they will continue to receive security patches past that date, unofficially.

Windows 7 and Windows Server 2008 will officially reach end-of-support on January 14, 2020, but they will continue to receive security patches past that date, unofficially.

Microsoft will still provide support for some customers through Extended Security Updates (ESU), but the majority of systems still running Windows 7 or Windows Server 2008 will no longer receive security updates, thus remaining exposed to attacks exploiting newly discovered vulnerabilities.

While buying ESU from Microsoft will certainly be the best solution for some organizations, the extended support will only be good for 3 years, and they will eventually need to upgrade to newer, supported platform iterations, or remain vulnerable.

ACROS Security, a Slovenia-based company focused on delivering tiny fixes for vulnerabilities in popular software before official patches arrive, says it will provide support for both Windows 7 and Windows Server 2008 even after Microsoft will stop doing so.

“We’re going to security-adopt Windows 7 and Windows 2008 Server for those of you who want to keep them patched after their official security updates have dried out,” ACROS Security says.

The company’s micro-patching service is called 0patch, and is offered both for free and in a paid form. Through the free service, users have been provided with fixes for high-risk vulnerabilities affecting Windows, WinRAR, OpenOffice, Microsoft’s JET Database, and Adobe Reader, among others.

Now, the company says it is ready to grow beyond these tiny fixes, and is making the first step to going big.

Thus, past January 2020, the company will look into the monthly patches released by Microsoft to find those targeting flaws that also impact Windows 7 or Windows Server 2008, and, should any be considered high risk, it will port Microsoft’s fixes to the two platforms, along with some micro-patches.

To ensure efficiency, 0patch is working on a central management service to allow admins to organize computers in groups and apply different policies to them. This will allow administrators to test the micro-patches on some groups before delivering them to all computers.

“Naturally they’ll also be able to un-apply any micropatches just as easily and quickly should they choose to. There will be alerts, graphs, reports, and drill-downs, and the very next step will be an on-premises version of 0patch server which so many organizations are asking for,” 0patch says.

The company is also expanding its team and plans on improving reversing, patch analysis, vulnerability analysis, micropatch development and micropatch porting processes with new tools and techniques.

The company is also working on formal verification of micro-patches and is relying on symbolic execution and emulation to help avoid errors sooner during development.

“We may decide to give some of these micropatches away for free, for instance to help block a global worm outbreak. But generally, only paying customers will be receiving Windows 7 / Server 2008 micropatches,” 0patch said, responding to a SecurityWeek inquiry on the availability of the patches.

On its FAQ page, the company explains that all users with 0patch PRO or 0patch Enterprise licenses will receive the post-EOS (post-End-of-Support) Windows 7 and Windows Server 2008 patches, regardless of whether they are home users or businesses.

Related: ACROS Security Launches 0patch PRO

Related: Unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.