Windows 7 computers will no longer be patched after today – Naked Security

Do you know what you were doing 3736 days ago?

We do! (To be clear, lest that sound creepy, we know what we were doing, not what you were doing.)

Admittedly, we didnt remember all on our own we needed the inexorable memory of the internet to help us recall what happened on 22 October 2009.

That was the official release date of Windows 7, so we armed ourselves with a fresh-out-of-the-box copy (remember boxed software?) and tried a bunch of new viruses against it.

Simply put, we took the next 10 Windows malware samples that showed up for analysis at SophosLabs, checked that they ran on the previous versions of Windows and then threw them at the all-new Windows 7.

The good news is that three of the 10 samples didnt work on Windows 7; the bad news is that seven did.

You cant really blame Microsoft for that, as much as you might like to, given that everyone expected existing software to work out of the box with the new version, despite numerous security improvements.

That was a decade ago 10 years and nearly 3 months, to be precise.

Today marks the other end of the Windows 7 story the very end of the other end, in fact.

Its the first Patch Tuesday of 2020 and once todays Windows 7 updates are shipped

thats that.

So long, and thanks for all the fish.

There wont be any more routine Windows 7 updates, as there havent been for Windows XP since Tuesday, 08 April 2014.

The problem is that new malware samples, together with new vulnerabilities and exploits, are likely to work on old Windows 7 systems in much the same way, back in 2009, that most old malware worked just fine on new Windows 7 systems.

Even if the crooks stop looking for new vulnerabilities in Windows 7 and focus only on Windows 10, theres a fair chance that any bugs they find wont be truly new, and will have been inherited in code that was originally written for older versions of Windows.

Bugs arent always found quickly, and may lie low for years without being spotted even in open source software that anyone can download and inspect at their leisure.

Those latent bugs may eventually be discovered, weaponised (to use one of the security industrys less appealing jargon terms) and exploited by crooks, to everyones unfortunate surprise.

The infamous Heartbleed flaw in OpenSSL was there for about two years before it became front-page news. In 2012, the Unix security utility sudo fixed a privilege escalation bug that had been introduced in 2007. OpenSSH patched a bug in 2018 that had sat undiscovered in the code since about 2000.

Windows 10 is significantly more secure against exploitation by hackers than Windows 7 ever was, and retrofitting those new security features into Windows 7 is just not practicable.

For example, there are numerous breaking changes in Windows 10 that deliberately alter the way things worked in Windows 7 (or remove components entirely) because theyre no longer considered secure enough.

For that reason, going forwards by upgrading can be considered both a necessary and a desirable step.

At the same time, not going forwards will leave you more and more exposed to security holes because any vulnerabilities that get uncovered will be publicly known, yet unpatched forever.

For better or for worse, the modern process of bug hunting and disclosure generally involves responsibly reporting flaws, ideally including a proof of concept that shows the vendor how the bug works in real life as a way of confirming its importance.

Then, once patches are out, its now considered not only reasonable but also important to publish a detailed expos of the flaw and how to exploit it.

As crazy as that sounds, the idea is that were more likely to write secure software in future if we can readily learn from the mistakes of the past, on the grounds that those who cannot remember history are condemned to repeat it.

The downside of the full disclosure of exploits, however, is that those disclosures are sometimes attack instructions in perpetuity against systems whose owners havent patched, cant patch, or wont patch.

Depending on whom you ask, youll see figures suggesting that somewhere between 25% and 33% (thats one-fourth to one-third) of desktop computers are still running Windows 7.

So, please dont delay do it today!

Read more here:
Windows 7 computers will no longer be patched after today - Naked Security

Related Posts

Comments are closed.