Windows 7 end of life: Security risks and what you should do next

Microsoft Windows 7 will no longer receive security patches - and cyber criminals will be looking to exploit it to target businesses that still haven't upgraded from Windows 7. Getting your security strategy right is vital.
Written by Danny Palmer, Senior Writer

Windows 7 has reached end of life and now isn't supported by Microsoft. It means businesses and consumers with PCs running on Windows 7 – which was introduced in 2009 – will no longer receive technical assistance, software patches and security updates from Microsoft, unless they want to pay extra.

Microsoft has urged users still running Windows 7 to upgrade to Windows 10 to continue to receive technical support. But despite these warnings coming over a number of years, it's estimated that 200 million PC users are still running Windows 7.

Put simply, if a new security vulnerability or software bug is uncovered in Windows 7, Microsoft is no longer obliged to release any sort of patch to fix the issue on the unsupported operating system; and that's something that could put individuals and organisations that still rely on Windows 7 in danger from cyberattacks, hacking and malware.

SEE: Windows 7: What is your company's exit strategy?

Such is the potential risk posed by this that the UK's National Cyber Security Centre – the cyber arm of the GCHQ intelligence service – has issued a warning over the continued use of Windows 7 PCs and laptops, telling users they shouldn't use Windows 7 devices when accessing personal data.

"The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates that help protect their devices," an NCSC spokesperson told ZDNet.

"We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device."

Individuals who haven't upgraded to Windows 10 will inevitably face security risks should they stick with Windows 7, but for organisations that continue to use Windows 7, the potential risks are much greater.

Businesses hold data on large groups of people and it's not beyond the realms of possibly that attackers could exploit new vulnerabilities uncovered in Windows 7 to maliciously infiltrate networks via phishing or malware attacks and gain access to that data. The global WannaCry ransomware attack of May 2017 demonstrated how vulnerable machines that haven't received security updates can be to hackers.

Then last year, researchers detailed BlueKeep, another Windows vulnerability that could have a similar impact. Therefore, by continuing to use an unsupported operating system, organisations are putting themselves at unnecessary risk from major attacks that exploit any new vulnerabilities found in Windows 7.

"In May, we learned about the BlueKeep vulnerability which, if exploited, could allow an unauthenticated remote attacker to connect to a Windows server via remote desktop protocol (RDP) and execute arbitrary code on the remote server. Both Windows 7 and XP are still at risk of this exploit," said Sivan Nir, threat intelligence team leader at Skybox Security.

"While some vulnerabilities have network-based mitigation alternatives to patching, like applying an IPS-based signature, this will not be the case for the majority of vulnerabilities. Windows XP users are currently sitting ducks. Now, Windows 7 users will join them," she added.

Even for organisations that have pushed towards upgrading their PC environment from Windows 7 to Windows 10, there's still the potential that there could be some Windows 7 devices left lurking on the network – and it could be a good idea for organisations who've upgraded their architecture to double-check something hasn't been missed.

"The simple fact is that 'if you can't measure it, you can't manage it'. In other words, if you don't routinely check your own network for what is on it, you'll never confidently be able to say what isn't there," said Paul Ducklin, principal security researcher at Sophos.

Devices ranging from laptops users have brought from home to things like marketing kiosks and virtual billboards could all potentially be running on Windows 7 and could all have potentially been missed in initial examinations of the network.

Organisations should ensure they really do know what's on their networks – because with Windows 7 out-of-support, hackers will be looking for any unsupported and unpatched device they can take advantage of as as an entry point into the network.

"If you don't take stock of your network by scanning it and measuring it to see how much Windows 7 you really have, the chances are the cybercrooks will surely do it for you," said Ducklin.

SEE: 10 tips for new cybersecurity pros (free PDF)

Despite Windows 7 reaching end of life, some organisations remain resistant to upgrading, often citing that the change will be complex or expensive. However, by choosing to use an unsupported version of Windows 7, it might only be a matter of time before an organisation finds itself falling victim to cyber attackers looking to target the decade-old operating system.

"Ultimately, these organisations need to upgrade and the sooner the better. Cyberattacks aren't going to disappear overnight; security teams should be working to protect their organisations' networks. If they don't upgrade soon, then worst-case scenario could be another WannaCry-style attack." said Nir.

"Even though businesses are reluctant to purchase more recent versions of Windows, keeping themselves without security updates is incredibly dangerous, and the risk of financial and reputational damage is huge. For those who don't have a clear plan to move away from Windows 7, it is about time to create one," she said.


Editorial standards