Windows 7 has reached end of life on Tuesday, January 14, 2020, but hundreds of millions of PCs worldwide still run the operating system, which likely makes them a more tempting target for malicious cyber actors.
Microsoft will no longer provide free security updates, patches or technical support for Windows 7, which makes devices running this version of the operating system more vulnerable to attacks and more likely to be targeted.
The latest data from Statcounter and NetMarketShare shows that roughly 30% of the over 1 billion PCs estimated to exist worldwide still use Windows 7. According to Statcounter, the percentage is just under 18% in the United States.
Kaspersky reported in late August that, based on its data, nearly half of small and medium-sized businesses (SMBs) and enterprises had still used Windows 7. More recent data from Kollective suggests that the situation has not improved too much, with 53% of businesses in the US and UK still using Windows 7 devices.
While these statistics may not be highly accurate, at least a few hundred million PCs around the world likely still run Windows 7. It’s worth noting that when Windows XP reached end of life in April 2014, the operating system also had a market share estimated at roughly 30%.
The most obvious solution is to upgrade to Windows 10, which provides significant benefits both in terms of functionality and security. Additionally, organizations willing to pay up can receive extended security updates for Windows 7 until January 2023, but Microsoft says the price of the extended updates, which cover the more important vulnerabilities, will increase every year.
Third-party vendors are also offering solutions. ACROS Security’s 0patch service, which provides third-party micropatches for important vulnerabilities, has promised to create fixes for Windows 7 flaws. While most of these patches will be accessible only to paying customers, some fixes, particularly for high-risk vulnerabilities, may be handed out for free.
Experts have warned that end-users and organizations still running Windows 7 on their devices are more likely to be targeted by malicious actors, particularly through new and unpatched vulnerabilities.
“Since there are no patches available, going forward Windows 7 systems will become ripe targets for attackers to exploit. A quick search on internet search engines such as shodan.io reveals that there are roughly a million Windows 7 systems connected to the internet. When the next major Windows 7 vulnerability strikes, these would be the systems attackers would go after first, own them very quickly, and cause business disruption,” explained Mehul Revankar, director of product management at SaltStack, a provider of intelligent IT automation software.
“Hackers will leverage the circumstance to create new targeted malware, as well as develop malwareless techniques to massively exploit vulnerable systems. Is it inevitable and it is for a fact going to happen,” Rui Lopes, Engineering and Technical Support Manager at Panda Security, told SecurityWeek.
“Not only each individual Windows 7 system on the network but effectively every network with Windows 7 systems becomes more vulnerable to cyberattacks: widespread, targeted, sophisticated – with staggering costs for individual users as well as companies of any size. Enterprise industry regulatory non-compliance is perhaps the other most significant consequence: absence of updates and support for an operating system will likely mean mandatory audits will fail,” Lopes added.
Mike Puglia, Chief Strategy Officer at Kaseya, an IT infrastructure management solutions provider for MSPs and IT teams, has pointed out that nearly 500 vulnerabilities were found in desktop versions of Windows in 2018 alone and roughly 170 of them were considered critical. Moreover, Puglia noted, one in three data breaches globally is the result of unpatched vulnerabilities and, as the Wannacry incident demonstrated, organizations running unsupported versions of Windows will be hit the hardest in case of a major attack.
“With the average cost per breach now standing at around $3.92 million, failure to migrate could give just one breach the power to end your business – a scary thought given that two-thirds of businesses have yet to even develop a migration strategy,” Puglia said.
He added, “Additionally, Microsoft is also retiring free support for Office 365 ProPlus on Windows 7, which could severely hinder day-to-day operations for businesses. The next Adobe Creative Cloud update will also no longer support older versions of OS, including Windows 7, so aside from buying new hardware which will automatically come with the latest Windows OS, migrating to Windows 10 is the only real long-term solution for businesses.”
Chris Morales, head of security analytics at Vectra, a California-based provider of technology that leverages AI to detect and hunt for cyber attackers, does not believe the actual impact will be catastrophic.
“For home users that want to cling on for whatever reasons, many of the potential problems could be mitigated using other tools and methods, like VPN, encryption, security software, and a good secure home router,” Morales said.
“For many enterprises, they will simply sign up for Windows 7 Extended Security Updates for the next three years of coverage. This covers anything deemed critical or important,” Morales added. “Which means not much will change in the attack landscape for enterprises with the Windows 7 Extended Security Updates. Most major apps like Google Chrome browser will also continue to be supported with updates for all users.”
Some experts have advised organizations that cannot immediately upgrade due to the use of software built on a Windows 7 stack to isolate vulnerable systems as much as technically possible.
“This includes ingress controls at the host level and ingress and egress controls at networking boundaries. These include kiosks as well as devices used within medical or manufacturing areas. In many scenarios, these systems are difficult to protect against attacks requiring physical access because by nature they are deployed to physically accessible areas,” Jack Mannino, CEO at application security firm nVisium, told SecurityWeek.
“In our experience, we see that these systems become immensely valuable to attackers that have access to a target’s internal network. Network accessible systems with exposed vulnerabilities aid attackers in moving laterally and compromising systems across an environment,” Mannino added.