Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Windows 7 Extended Security Updates, Windows 8.1 Reach End of Support

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Windows 7 reached end of life (EoL) on January 14, 2020, but Microsoft gave customers the option to continue receiving important security updates through its ESU program. However, ESUs will no longer be available for purchase after January 10, 2023.

Windows 8.1 support ends on the same day. Computers running this version of Windows will continue to function, but will no longer receive technical support, software updates and, importantly, security updates or patches. In addition, Microsoft will not be offering an ESU program for Windows 8.1.Windows 8.1 reaches end of life

“Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations,” the tech giant warns.

Microsoft also announced that Edge 109, scheduled for release on January 12, is the last version to support Windows 7, Windows 8.1, and Windows Server 2008 R2, Server 2012 and Server 2012 R2.

Windows Server 2012 and Server 2012 R2 will reach end of support on October 10, 2023. After this date, these operating systems will no longer receive security and non-security updates, bug fixes, technical support, or online technical content updates.

Customers that migrate applications and databases to Azure virtual machines will receive Extended Security Updates (ESUs) for free for three years after October 10. Other customers can purchase ESUs for Windows Server 2012 for up to three years, to get security updates until October 13, 2026.

Security experts urge organizations not to ignore Microsoft’s notifications and take steps to prevent the exposure of their business to a significant amount of risk.

However, there are likely many cases where it may not be easy for organizations to update their systems to supported versions of Windows, due to budget issues and the use of older hardware.

“Unfortunately, many businesses still have a heavy reliance on legacy systems including those that operate in the industrial industry and banking sector. These industries put their digital faith in systems that struggle to be updated and can’t handle being switched off for updates. Without a plan for EoL this can become a big security risk,” Joey Stanford, VP of Privacy & Security at PaaS provider, told SecurityWeek.

Stanford pointed out that “not all is lost” and companies can still take steps to protect vulnerable systems while they create a plan to address the EoL. For example, Windows 8.1 systems can be placed behind a dedicated firewall, which should also be complemented by an intrusion prevention system. Vulnerable systems should not be remotely accessible — a VPN should be used if remote access is necessary — and supported antimalware solutions should be installed on these devices.

Specialized third-party patching services are also available. Acros Security’s 0patch service announced last week that it will continue to develop security patches for Windows 7, Server 2008 R2 and Server 2012 (including R2).

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, noted that Microsoft will likely still release emergency patches for critical vulnerabilities that hit Windows 8.1, but there is no guarantee.

Parkin has named several types of organizations that are more likely to be using very specialized software or have no budget for the required upgrades, including small businesses, local governments, public schools, and smaller commercial radio and television stations.

Antonio Sanchez, cybersecurity product marketing principal at cybersecurity software and services provider Fortra, also made a good point.

“If your strategy is to hope there are no new vulnerabilities discovered, here is something to keep in mind: Windows 7 had almost 1,000 new vulnerabilities after its end of life,” Sanchez said.

Related: VMware Patches Critical Vulnerability in End-of-Life Product

Related: Hundreds of Millions of PCs Remain Vulnerable as Windows 7 Reaches End of Life

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.