Windows 7 and Windows Server 2008 will officially reach end-of-support on January 14, 2020, but they will continue to receive security patches past that date, unofficially.
Microsoft will still provide support for some customers through Extended Security Updates (ESU), but the majority of systems still running Windows 7 or Windows Server 2008 will no longer receive security updates, thus remaining exposed to attacks exploiting newly discovered vulnerabilities.
While buying ESU from Microsoft will certainly be the best solution for some organizations, the extended support will only be good for 3 years, and they will eventually need to upgrade to newer, supported platform iterations, or remain vulnerable.
ACROS Security, a Slovenia-based company focused on delivering tiny fixes for vulnerabilities in popular software before official patches arrive, says it will provide support for both Windows 7 and Windows Server 2008 even after Microsoft will stop doing so.
“We’re going to security-adopt Windows 7 and Windows 2008 Server for those of you who want to keep them patched after their official security updates have dried out,” ACROS Security says.
The company’s micro-patching service is called 0patch, and is offered both for free and in a paid form. Through the free service, users have been provided with fixes for high-risk vulnerabilities affecting Windows, WinRAR, OpenOffice, Microsoft’s JET Database, and Adobe Reader, among others.
Now, the company says it is ready to grow beyond these tiny fixes, and is making the first step to going big.
Thus, past January 2020, the company will look into the monthly patches released by Microsoft to find those targeting flaws that also impact Windows 7 or Windows Server 2008, and, should any be considered high risk, it will port Microsoft’s fixes to the two platforms, along with some micro-patches.
To ensure efficiency, 0patch is working on a central management service to allow admins to organize computers in groups and apply different policies to them. This will allow administrators to test the micro-patches on some groups before delivering them to all computers.
“Naturally they’ll also be able to un-apply any micropatches just as easily and quickly should they choose to. There will be alerts, graphs, reports, and drill-downs, and the very next step will be an on-premises version of 0patch server which so many organizations are asking for,” 0patch says.
The company is also expanding its team and plans on improving reversing, patch analysis, vulnerability analysis, micropatch development and micropatch porting processes with new tools and techniques.
The company is also working on formal verification of micro-patches and is relying on symbolic execution and emulation to help avoid errors sooner during development.
“We may decide to give some of these micropatches away for free, for instance to help block a global worm outbreak. But generally, only paying customers will be receiving Windows 7 / Server 2008 micropatches,” 0patch said, responding to a SecurityWeek inquiry on the availability of the patches.
On its FAQ page, the company explains that all users with 0patch PRO or 0patch Enterprise licenses will receive the post-EOS (post-End-of-Support) Windows 7 and Windows Server 2008 patches, regardless of whether they are home users or businesses.
Related: ACROS Security Launches 0patch PRO
Related: Unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day