Despite the FBI announcement, hospitals, schools, and government offices across the world still use Windows 7.
Security experts detailed a litany of concerns following an announcement on Monday from the Federal Bureau of Investigation about the official end of life for Windows 7. The private industry notification, first covered by ZDNet, said the FBI “has observed cyber criminals targeting computer network infrastructure after an operating system achieves end-of-life status,” and added that “continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems.”
“As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. With fewer customers able to maintain a patched Windows 7 system after its end of life, cybercriminals will continue to view Windows 7 as a soft target,” the FBI notice said.
Microsoft announced the end of life for Windows 7 on Jan. 14, but thousands of hospitals, schools, and government offices still use the operating system for a variety of reasons. The FBI added that in the 2017 WannaCry outbreak, 98% of the computers infected had been running an unpatched version of Windows 7.
“Windows 7 was introduced nearly 11 years ago, and to put into context how long ago that is in technology terms, the iPad did not even exist at this time. Organizations have had far too much time to make the move,” said Adam Laub, CMO, Stealthbits Technologies. “It likely will not stop them from crying victim, however, when their Windows 7 systems are leveraged as the launching point for much more devastating attacks against their enterprises.”
Dozens of security experts laid out the problems organizations may face when trying to transition away from Windows 7.
Red Canary manager for incident handling Chris Abbey noted thatWindows 7 has substantial market share, accounting for roughly 20 percent of the operating system market. This, he said, means that cybercriminals will continue developing exploits for the vulnerabilities that emerge in it. Over time, those vulnerabilities will stack up, as will exploits for them, and those exploits may become publicly available and widely adopted.
Microsoft may release patches for very severe bugs, as it did with the vulnerabilities that enabled the NotPetya attacks in 2017, but most vulnerabilities in Windows 7 will remain perpetually unfixed. The problem will be particularly pronounced in large environments, where there may be widespread compatibility issues that preclude a move from Windows 7 to 10, he added.
“Organizations that will be disproportionately affected include those that rely on specialized hardware, like hospitals and manufacturers, as well organizations with tight budgets, like schools and government institutions. Unfortunately, it simply isn’t practical to expect that all enterprises will be able to update operating systems before they fall out of support,” he said.
“Therefore, it’s important that security and IT teams develop compensatory controls that might include the use of virtualization technologies, network segmentation, and application controls. As always, it’s critically important to maintain a functional and up-to-date incident response plan. Organizations may want to consider the compliance ramifications of not updating, as certain compliance regimes require that organizations update systems in a timely manner or otherwise limit exposure to software vulnerabilities.”
Most of these organizations also face the problem of having costly legacy software that is heavily dependent on outdated legacy operating systems.
Satya Gupta, co-founder and CTO of Virsec, said Microsoft has been trying to wean businesses off of Windows 7 for a while but the problem many organizations face is that upgrading, or even routine patching, is usually more difficult and disruptive than vendors like to admit.
Many of these enterprises may have legacy applications that are also used well past their intended lifecycles—often requiring specific OS environments, even if those are out of date.
“If you try to force businesses to retire legacy apps, there will always be stragglers—thousands of them—that open easy entry points for attackers. We have to shift to a security model that recognizes the real world, that legacy operating systems and apps will live on for years, and they need to be protected as is—without requiring painful upgrades to maintain basic security,” Gupta said.
According to Cerberus Sentinel CEO David Jemmett, hackers have been studying Windows 7 to exploit it for years.
As an example, he compared it to car thieves learning how to hotwire a car from the 1960s versus a brand-new Cadillac with electronic systems for ignition.
“1960 car is just crossing wires and a possible crowbar for the window. The Cadillac electronic system which would take a sophisticated hacker with tools to accomplish it with expertise. Windows 7 has no updates or patched security at this time leaving the system vulnerable to known hacks,” Jemmett told TechRepublic.
“Healthcare has been warned for several years to move from the Windows 7 OS. Hopefully with the FBI warning it will give incentive to create the updates that are needed for a more secure environment.”
Other analysts echoed those same concerns, with Chris Clements saying that Windows 7 computers are the first his team looks to exploit during ethical hacking engagements.
As vice president of Solutions Architecture at Cerberus Sentinel, he has seen that Windows 7 is less likely to be patched and has very insecure default settings like storing the password of every user that has logged in since the last system boot in cleartext in system memory.
“It doesn’t matter how strong a user’s password is if Windows 7 will just hand it over in clear text. Patching end-of-support systems like Windows 7 and Windows Server 2008 can be done, but it requires both paying Microsoft additional fees for the out of support and also making additional configuration changes to every system in order for them to receive ongoing updates,” Clements said.
“In most cases it’s much easier to re-image or replace existing Windows 7 computers with Windows 10 rather than attempt in place upgrades.”
Despite the obvious warnings, it may be difficult for most organizations to find the funding to replace hundreds of aging computers. But some security analysts said organizations should look at the situation from another angle.
Is the cost of replacing these systems or devices equal to the cost of a breach?
Nilesh Dherange, CTO, security company Gurucul, said some organizations kept Windows 7 in operation because of legacy applications or no clear way to replace an embedded system, but it has reached the point where they need to weigh the cost of replacement against the cost of a breach.
Keeping Windows 7 in service means dealing with ever-increasing threats to an unsupported system with a long history of security flaws. For any system that can be upgraded or replaced, the clear path is to upgrade or replace it, Dherange noted.
“If there really is no alternative, then the system needs to be isolated and protected as much as possible before it crosses the line between irreplaceable asset and severe liability. Attackers have had tools against Windows 7 for years, and they will use them any chance they get. But the bottom line is these unsupported systems need to be taken out of production before they’re used as an attack vector,” Dherange said.
Microsoft has offered free upgrades from Windows 7, so any organization that can take advantage of that should, according to Chloé Messdaghi, vice president of Strategy at Point3 Security.
But Messdaghi lamented the fact that so many city, county, and state authorities are still running Windows 7, which opens them up to attacks and to data exfiltration in places like schools. Messdaghi noted that the issue is particularly pertinent right now as the country prepares for crucial elections that need to be trusted by the public. The failure to upgrade aging systems may not only give cyberattackers ways into systems but will allow others to question the legitimacy of certain government services.
“Upgrading is easy, and it’s essential to protect trust that consumers have in their brands and the public holds in its public-sector leaders,” Messdaghi said.
Casey Kraus, president of Senserva, added that with millions still working from home, this advice not only applies to organizational devices but ones being used in homes as well.
But Roger Grimes, data driven defense evangelist at KnowBe4, said the situation should be a larger reminder that every organization needs to build end-of-life phases into every piece of software or hardware they buy.
Microsoft, he said, is very verbal and public about end-of-life dates many years ahead of time, including documenting the end-of-life from the day of release. The end-of-life dates need to be part of every IT lifecycle and shouldn’t be unexpected, he added.
“In general, when something approaches end-of-life, this is the approach most organizations should take: Replace or update the end-of-life asset if you still need it, and if it cannot be replaced or updated by end-of-life and you still need to use it, implement one or more mitigations to reduce risk. This includes buying vendors or third-party support to continue to cover the asset past end of life, if available,” he said.
“Physically isolate any post-end-of-life assets that must still be used, if possible. If not, then get any post-end-of-life assets from being contactable over the internet if possible. If you can’t do this, risk of compromise is significantly higher. Limit internal network access to any post-end-of-life assets, and if possible institute high levels of monitoring post-end-of-life assets no matter what mitigations you choose.”