Windows 7 computers will no longer be patched after today

Do you know what you were doing 3736 days ago?

We do! (To be clear, lest that sound creepy, we know what we were doing, not what you were doing.)

Admittedly, we didn’t remember all on our own – we needed the inexorable memory of the internet to help us recall what happened on 22 October 2009.

That was the official release date of Windows 7, so we armed ourselves with a fresh-out-of-the-box copy (remember boxed software?) and tried a bunch of new viruses against it.

Simply put, we took the next 10 Windows malware samples that showed up for analysis at SophosLabs, checked that they ran on the previous versions of Windows and then threw them at the all-new Windows 7.

The good news is that three of the 10 samples didn’t work on Windows 7; the bad news is that seven did.

You can’t really blame Microsoft for that, as much as you might like to, given that everyone expected existing software to work “out of the box” with the new version, despite numerous security improvements.

That was a decade ago – 10 years and nearly 3 months, to be precise.

Today marks the other end of the Windows 7 story – the very end of the other end, in fact.

It’s the first Patch Tuesday of 2020 and once today’s Windows 7 updates are shipped…

…that’s that.

“So long, and thanks for all the fish.”

There won’t be any more routine Windows 7 updates, as there haven’t been for Windows XP since Tuesday, 08 April 2014.

The problem is that “new” malware samples, together with new vulnerabilities and exploits, are likely to work on old Windows 7 systems in much the same way, back in 2009, that most “old” malware worked just fine on new Windows 7 systems.

Even if the crooks stop looking for new vulnerabilities in Windows 7 and focus only on Windows 10, there’s a fair chance that any bugs they find won’t be truly new, and will have been inherited in code that was originally written for older versions of Windows.

Bugs aren’t always found quickly, and may lie low for years without being spotted – even in open source software that anyone can download and inspect at their leisure.

Those latent bugs may eventually be discovered, “weaponised” (to use one of the security industry’s less appealing jargon terms) and exploited by crooks, to everyone’s unfortunate surprise.

The infamous Heartbleed flaw in OpenSSL was there for about two years before it became front-page news. In 2012, the Unix security utility sudo fixed a privilege escalation bug that had been introduced in 2007. OpenSSH patched a bug in 2018 that had sat undiscovered in the code since about 2000.

Who’s at fault?

Windows 10 is significantly more secure against exploitation by hackers than Windows 7 ever was, and retrofitting those new security features into Windows 7 is just not practicable.

For example, there are numerous “breaking changes” in Windows 10 that deliberately alter the way things worked in Windows 7 (or remove components entirely) because they’re no longer considered secure enough.

For that reason, going forwards by upgrading can be considered both a necessary and a desirable step.

At the same time, not going forwards will leave you more and more exposed to security holes – because any vulnerabilities that get uncovered will be publicly known, yet unpatched forever.

For better or for worse, the modern process of bug hunting and disclosure generally involves responsibly reporting flaws, ideally including a “proof of concept” that shows the vendor how the bug works in real life as a way of confirming its importance.

Then, once patches are out, it’s now considered not only reasonable but also important to publish a detailed exposé of the flaw and how to exploit it.

As crazy as that sounds, the idea is that we’re more likely to write secure software in future if we can readily learn from the mistakes of the past, on the grounds that those who cannot remember history are condemned to repeat it.

The downside of the full disclosure of exploits, however, is that those disclosures are sometimes “attack instructions in perpetuity” against systems whose owners haven’t patched, can’t patch, or won’t patch.

What to do?

  1. Identify systems on your network that simply can’t be updated. You then need to decide whether you absolutely need to keep them, for example because they are irreplaceable and specialised devices that you simply can’t do without, or to get rid of them forever. If you have to keep them, put them on a separate network and limit their exposure as much as you can.
  2. Identify systems where other vendors’ software is holding you back. Keeping on with a now-insecure version of Windows just to carry on running a now-also-insecure software stack from another vendor is just making a bad thing worse. GOTO 1.
  3. Set yourself some hard deadlines for finally making the move to Windows 10. Technically, you’ve already left it too late, so don’t delay any more. The longer you put it off, the more exposed you will be, and the greater the number of cybercrooks who will be able to penetrate your network if they decide to try. GOTO 1.

Depending on whom you ask, you’ll see figures suggesting that somewhere between 25% and 33% (that’s one-fourth to one-third) of desktop computers are still running Windows 7.

So, please… don’t delay – do it today!