HKCert
Security Blog

HKCERT Calls for Attention on End of Support for Windows 7, Windows Server 2008 and 2008 R2

Release Date: 22 / 11 / 2019
Last Update: 22 / 11 / 2019

From 14 January 2020, computers running on Windows 7, Windows Server 2008 and 2008 R2 operating systems (OSs) will no longer receive free technical support, software and security updates from Microsoft [1][2]. In other words, users whose machines are still using the abovementioned OSs after support ends will be exposed to attacks targeting their unpatched vulnerabilities.

 

Market Share of Windows 7 in Hong Kong

Released just over a decade ago, Windows 7 has been one of the most popular OSs of Microsoft. According to the latest StatCounter figures [3], with only two months till the end of support, Windows 7 still accounts for 28% of desktop Windows market share in Hong Kong (Figure 1).

 

 

(Figure 1: Desktop Windows OS Market Share in Hong Kong from Oct 2018 to Oct 2019)

 

HKCERT urges Windows 7 users to upgrade or migrate their OS to a supported version (e.g. Windows 10 or other OS developers’ supported OSs) as soon as possible.

 

Risks of Using End of Support (EOS) Operating Systems

  1. Since EOS OSs will no longer receive any patches or security updates, subsequent vulnerabilities may increase the potential risk of information and data leakages.
  2. Computers with EOS OSs in a closed network are not immune from hackers or malware upon successful infiltration of the internal network.
  3. Other software packages running on EOS OSs may not be able to upgrade or migrate to the latest supported OSs due to compatibility issues, thus resulting in security threats because of subsequent unfixed vulnerabilities.
  4. Enterprises will have to pay hefty amount to maintain EOS OSs, such as adding an extra layer of protection (e.g. virtual patching), purchasing extended support coverage and consuming extra efforts in maintaining multiple versions of OSs.

Security Recommendations

  1. HKCERT urges all affected Windows and Windows Server users to upgrade or migrate their OSs to supported versions as soon as possible. To ensure smooth migration and mitigate potential risk, users need to have comprehensive planning.
  2. For those already with plans to upgrade their OSs but unable to do so before the EOS deadline, they can buy the Extended Security Update (ESU) services from Microsoft to secure extra time [4].
  3. For legacy systems whose applications are not compatible with security patch and ESU services are not applicable, they should be placed in an isolated network.

 

Note:

[1] Microsoft: Windows 7 support will end on January 14, 2020

https://support.microsoft.com/en-us/help/4057281/windows-7-support-will-end-on-january-14-2020

[2] Microsoft: End of support for Windows Server 2008 and Windows Server 2008 R2

https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2

[3] StatCounter Global Stats

https://gs.statcounter.com/

[4] Microsoft: Extended Security Update (ESU)

https://www.microsoft.com/en-us/cloud-platform/extended-security-updates