Windows 7: Don’t cry for me

It may have gone unnoticed with the January 14 end of support deadline for Windows 7, but Microsoft’s 10 year old OS, had one last Patch Tuesday update. And , surprise, surprise, this included a critical security update for the CVE-2020-0611, that the NSA reported is a remote desktop vulnerability, which affects Windows 7 and newer operating systems.

In the past, Microsoft has remained committed to releasing the most critical security patches for unsupported operating systems, such as the Windows XP fix for the WannaCry attack, that afflicted systems around the world, including legacy hardware at the NHS. In February 2018, the Lessons learned review of the WannaCry Ransomware Cyber Attack report for NHS England reported that 80 out of 236 hospital trusts across England were affected; 595 out of 7,4545 GP practices (8%) and eight other NHS and related organisations were infected.

Organisations have had several years to migrate to Windows 10, which was released in 2015, starting the five year countdown to Windows 7 end of support. But, businesses do not generally shift from something that works well – like Windows 7 – to a new operating system, just because Microsoft has released a new version. Migrating large PC estates can take years, as older PCs are replaced with new ones, running the latest Windows OS. Certain applications and embedded systems, cannot easily be migrated to the new OS, and remain on an unsupported operating system, leaving them vulnerable to cyberattacks.

Could something like WannaCry happen again, with a vulnerability impacting legacy Windows 7 machines? Certainly every Patch Tuesday from now on will list critical vulnerabilities in Windows 10. How many of these also impact Windows 7?

“WannaCry was a clear example of the dangers that businesses can face when they are using software that has reached end of life,” says Ian Wood, Senior Director, EMEA Cloud & Governance Business Practice at Veritas.