The Windows 7 vulnerabilities businesses must address
Continuing security risks in Windows 7 mean that an upgrade to Windows 10 is now an essential business decision
It is now nearly ten years since Windows 7 became generally available (on 22 October 2009). Yet, unbelievably, according to Net Applications, 36.52% of desktop devices are still using the venerable operating system, compared to 43.62% running Windows 10. This is staggering when you consider the potential vulnerabilities of an older OS such as Windows 7, even when it has the most recent security patches. Mainstream support ended in January 2015, and although extended support continues until January 2020, companies really should have migrated well before that so any issues can be ironed out in time. In this feature, we discuss the risk from vulnerabilities in Windows 7 and why these must be addressed as soon as possible.
A migration to Windows 10 need not be painful, and the benefits will far outweigh the work involved. Learn how and why to migrate in IT Pro's guide.
One of the most infamous areas where Windows 7 has proven to be insecure is in its support for the server message block (SMB) version 1 protocol. This is a system frequently used on network attached storage (NAS) devices from around the same era as Windows 7, and also for printer sharing as well as other remote service connections. The Samba Linux file server used on many NAS devices emulates SMB to provide Windows network file storage access. This might seem like an obscure problem, but it was actually the weakness exploited by the hugely damaging WannaCry ransomware.
Whist this struck organisations all around the globe including in China, Spain, Russia, and the USA the UK's NHS was the worst affected, due to its widespread continuing use of Windows XP and Windows 7 for desktop clients. It is estimated that the cost of the attack to the NHS was around 92 million. The SMB 1 protocol leaves the TCP port 445 open, a vulnerability named "EternalBlue", and WannaCry exploited this to load malware on systems and propagate itself across a network to other vulnerable machines. The effects can be dramatic, infecting a whole network in a matter of minutes, as experienced by the NHS.
The most recent versions of SMB (3 or later) don't have this vulnerability, although even SMB 2 still exposes some areas that can be exploited in other ways. Microsoft did release a patch to combat the WannaCry issue once it was aware of the problem although allegedly the NSA knew about it long beforehand and didn't notify the company. However, there will still be many systems using Windows 7 and earlier that continue to enable a vulnerable version of SMB for backwards compatibility, and haven't been patched yet. With Windows 7 reaching end of life in less than a year despite over a third of systems still using it, this is a major concern.
The good news is that Windows 10 doesn't have this problem at all, because it doesn't enable SMB 1. This will mean a Windows 10 system won't be able to access older NAS devices that only offer SMB 1 network file sharing, although you can dig in the settings and turn it back on again if you need to but only if you have admin rights to your system, which most corporate network users won't be given. So a locked-down Windows 10 installation won't be vulnerable.
The SMB 1 problem exploited by WannaCry is just the most high-profile vulnerability in Windows 7, however. The CVE Details website lists 16 more potential security issues discovered just this year, and over a thousand across the lifetime of the product. The problems keep on coming, too. In early March, Google also reported the discovery of a zero-day vulnerability that could affect Windows 7. A zero-day vulnerability is one that at the time of writing hadn't been patched. The flaw Google discovered allows a local privilege escalation in the win32k.sys kernel driver of Windows 7 32-bit, which enables code to be executed outside the browser sandbox. In other words, a web page could run malicious code affecting the entire system.
The obvious way to address these vulnerabilities for sure is to install the latest patched build of Windows 10 on all your company's client systems. So why haven't more organisations upgraded to avoid the risk? One reason is obviously just the cost of upgrading an extensive multi-seat client installation. This will probably not just entail the software expense, but also the need to upgrade hardware and other software suites at the same time to support the new operating system. It's understandable why the NHS was caught in this trap, as 4.3 billion of the NHS's capital budget was shifted towards day-to-day running between 2014 and 2018, meaning much less could be spent on IT improvement.
Nevertheless, a hardware upgrade won't just mean the ability to run a more secure, current operating system. The hardware itself can be more secure against the latest threats. For example, HP's Elite range includes features like HP Client Security Manager to help set up Multi-factor Authentication and Windows Hello biometrics, for safe logins. There's the HP Support Assistant to ensure all software and drivers are up-to-date, not just core operating system and Microsoft Office patches. HP Sure Click makes Web browsing safer by running every browser tab in its own virtual machine. HP Sure View Gen2 prevents people from seeing your screen in a public place, and HP Sure Start Gen4 guards against BIOS-level attacks.
Another frequently reported problem comes from legacy software. If a company is using software that is only certified compatible with Windows 7, then it will be reluctant to upgrade operating systems, because the legacy software will need to be upgraded too. This will be particularly problematic if the legacy software was custom-built for the company by an employee who has now left the organisation. Some companies have also met with reluctance from employees to use Windows 10 instead of Windows 7, because the interface has some significant differences and they don't want to change their habits. A number of 3D workstation manufacturers were also sticking with Windows 7 until a couple of years ago due to performance issues with content creation software on version 10.
The IT Pro guide to Windows 10 migration' explores how to plan your migration from Windows 7 and ensure it's a successful transition. Download it here.
These are all valid concerns, to a greater or lesser degree, but companies should still bite the bullet and upgrade, because the potential cost of threats from old operating systems could be even more expensive. Accenture has estimated that the average cost of a malware attack on a company is $2.4 million and 50 working days, whilst Cybersecurity Ventures estimated that ransomware damage alone reached a global expenditure of $5 billion in 2017. Most of this is from downtime and productivity costs rather than the ransoms themselves. Indeed, whilst the global price of WannaCry was estimated to be $1 billion by security firm KnowBe4, the maximum total of ransom payouts would only have been $60 million taking all infections into consideration, and Krebs on Security put the figure at just a few thousand.
So whilst upgrading your client systems to Windows 10 will have its pain points, as the deadline for Windows 7 support ending looms it's an essential decision to make. You can also tie this in with a hardware upgrade to much more secure, feature-rich systems such as HP's Elite range. The usual rule of thumb is that an operating system upgrade takes 10 months to deploy across a large company, which would push beyond the Windows 7 end-of-life date already. In other words, it's time to take the plunge, and avoid the risks of running an obsolete operating system like Windows 7.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now