Windows 7 extended support will end in exactly one year’s time on January 14th, 2020—mainstream support for the operating system ended back in 2015. Despite this, Windows 7 is still found on around 40% of PCs and current trends predict that it will still power some 36% of PCs by the deadline. Its predecessor Windows XP (we don’t talk about Vista) still has an ~4% share, despite not having had an update since April 2014. This article will hopefully help to explain what end-of-lifing means to you, as well as steps you can take to ensure that you can be secure in a year.
First, why does software get end-of-lifed? Software development requires time and resources, and after enough time has passed and enough subsequent editions of the software (Windows 8 and 10, in this case) have been released, the development company may not be able to justify the continued expense of supporting every version of their software, or may wish to push customers on to the ‘latest and greatest’ versions. Different companies have different procedures, but Microsoft aims to provide five years of ‘mainstream support’ which includes feature updates, and five years of ‘extended support’, which only provides security updates. After that ten years has passed, the operating system is no longer supported.
For some software, the loss of official support is not the end. Free software (“free” as in “free speech,” not as in “free beer”) is software that provides its source code publicly, allowing anybody to search for vulnerabilities and, when found, provide their own fixes and redistribute them. As such, free software—examples include the Firefox Web browser and the GNU/Linux operating system—does not get end-of-lifed in the same way. However, Windows source code is proprietary, and so an official end-of-life is akin to a software death sentence.
Running end-of-lifed software on your networks can be a godsend to attackers. For example, the 2017 WannaCry ransomware attack that incapacitated swathes of the NHS (along with other victims all over the globe) was able to spread so widely as a result of exploiting a security vulnerability in outdated versions of Windows 7. As a result, Microsoft made the extraordinary move of releasing an emergency patch for the operating systems affects, but by no means should this be taken as a sign that they will do so again for anything less than another worldwide malware pandemic.
How does this affect your business? Obviously, you should be looking into migrating all of your current Windows 7 systems to a newer operating system version over this year—make it your new year’s resolution—and ensure that any firms within your supply chain are also doing so. There may be situations in which upgrading within the timeframe is unfeasible. In these cases, the NCSC do provide some guidance on how to manage the risk posed by such outdated software, but are clear that ‘the only fully effective way to mitigate this risk is to migrate away from the obsolete product.’