Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.
Windows 7 reached end of life (EoL) on January 14, 2020, but Microsoft gave customers the option to continue receiving important security updates through its ESU program. However, ESUs will no longer be available for purchase after January 10, 2023.
Windows 8.1 support ends on the same day. Computers running this version of Windows will continue to function, but will no longer receive technical support, software updates and, importantly, security updates or patches. In addition, Microsoft will not be offering an ESU program for Windows 8.1.
“Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations,” the tech giant warns.
Microsoft also announced that Edge 109, scheduled for release on January 12, is the last version to support Windows 7, Windows 8.1, and Windows Server 2008 R2, Server 2012 and Server 2012 R2.
Windows Server 2012 and Server 2012 R2 will reach end of support on October 10, 2023. After this date, these operating systems will no longer receive security and non-security updates, bug fixes, technical support, or online technical content updates.
Customers that migrate applications and databases to Azure virtual machines will receive Extended Security Updates (ESUs) for free for three years after October 10. Other customers can purchase ESUs for Windows Server 2012 for up to three years, to get security updates until October 13, 2026.
Security experts urge organizations not to ignore Microsoft’s notifications and take steps to prevent the exposure of their business to a significant amount of risk.
However, there are likely many cases where it may not be easy for organizations to update their systems to supported versions of Windows, due to budget issues and the use of older hardware.
“Unfortunately, many businesses still have a heavy reliance on legacy systems including those that operate in the industrial industry and banking sector. These industries put their digital faith in systems that struggle to be updated and can’t handle being switched off for updates. Without a plan for EoL this can become a big security risk,” Joey Stanford, VP of Privacy & Security at PaaS provider Platform.sh, told SecurityWeek.
Stanford pointed out that “not all is lost” and companies can still take steps to protect vulnerable systems while they create a plan to address the EoL. For example, Windows 8.1 systems can be placed behind a dedicated firewall, which should also be complemented by an intrusion prevention system. Vulnerable systems should not be remotely accessible — a VPN should be used if remote access is necessary — and supported antimalware solutions should be installed on these devices.
Specialized third-party patching services are also available. Acros Security’s 0patch service announced last week that it will continue to develop security patches for Windows 7, Server 2008 R2 and Server 2012 (including R2).
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, noted that Microsoft will likely still release emergency patches for critical vulnerabilities that hit Windows 8.1, but there is no guarantee.
Parkin has named several types of organizations that are more likely to be using very specialized software or have no budget for the required upgrades, including small businesses, local governments, public schools, and smaller commercial radio and television stations.
Antonio Sanchez, cybersecurity product marketing principal at cybersecurity software and services provider Fortra, also made a good point.
“If your strategy is to hope there are no new vulnerabilities discovered, here is something to keep in mind: Windows 7 had almost 1,000 new vulnerabilities after its end of life,” Sanchez said.
Related: VMware Patches Critical Vulnerability in End-of-Life Product
Related: Hundreds of Millions of PCs Remain Vulnerable as Windows 7 Reaches End of Life
