Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Windows 7 Extended Security Updates, Windows 8.1 Reach End of Support

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Windows 7 reached end of life (EoL) on January 14, 2020, but Microsoft gave customers the option to continue receiving important security updates through its ESU program. However, ESUs will no longer be available for purchase after January 10, 2023.

Windows 8.1 support ends on the same day. Computers running this version of Windows will continue to function, but will no longer receive technical support, software updates and, importantly, security updates or patches. In addition, Microsoft will not be offering an ESU program for Windows 8.1.Windows 8.1 reaches end of life

“Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations,” the tech giant warns.

Microsoft also announced that Edge 109, scheduled for release on January 12, is the last version to support Windows 7, Windows 8.1, and Windows Server 2008 R2, Server 2012 and Server 2012 R2.

Windows Server 2012 and Server 2012 R2 will reach end of support on October 10, 2023. After this date, these operating systems will no longer receive security and non-security updates, bug fixes, technical support, or online technical content updates.

Customers that migrate applications and databases to Azure virtual machines will receive Extended Security Updates (ESUs) for free for three years after October 10. Other customers can purchase ESUs for Windows Server 2012 for up to three years, to get security updates until October 13, 2026.

Security experts urge organizations not to ignore Microsoft’s notifications and take steps to prevent the exposure of their business to a significant amount of risk.

However, there are likely many cases where it may not be easy for organizations to update their systems to supported versions of Windows, due to budget issues and the use of older hardware.

“Unfortunately, many businesses still have a heavy reliance on legacy systems including those that operate in the industrial industry and banking sector. These industries put their digital faith in systems that struggle to be updated and can’t handle being switched off for updates. Without a plan for EoL this can become a big security risk,” Joey Stanford, VP of Privacy & Security at PaaS provider Platform.sh, told SecurityWeek.

Stanford pointed out that “not all is lost” and companies can still take steps to protect vulnerable systems while they create a plan to address the EoL. For example, Windows 8.1 systems can be placed behind a dedicated firewall, which should also be complemented by an intrusion prevention system. Vulnerable systems should not be remotely accessible — a VPN should be used if remote access is necessary — and supported antimalware solutions should be installed on these devices.

Specialized third-party patching services are also available. Acros Security’s 0patch service announced last week that it will continue to develop security patches for Windows 7, Server 2008 R2 and Server 2012 (including R2).

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, noted that Microsoft will likely still release emergency patches for critical vulnerabilities that hit Windows 8.1, but there is no guarantee.

Parkin has named several types of organizations that are more likely to be using very specialized software or have no budget for the required upgrades, including small businesses, local governments, public schools, and smaller commercial radio and television stations.

Antonio Sanchez, cybersecurity product marketing principal at cybersecurity software and services provider Fortra, also made a good point.

“If your strategy is to hope there are no new vulnerabilities discovered, here is something to keep in mind: Windows 7 had almost 1,000 new vulnerabilities after its end of life,” Sanchez said.

Related: VMware Patches Critical Vulnerability in End-of-Life Product

Related: Hundreds of Millions of PCs Remain Vulnerable as Windows 7 Reaches End of Life

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.