So, the day has finally arrived. Microsoft has officially released the last patches for the Windows 7 and Server 2008 families. SQL 2008 has ended support as well, but not many folks talk about it. And they released some doozies to go out with a blast. So, what do we do now?
For those of you that were able to retire all of the systems running these operating systems before the deadline, it’s business as usual for you. No fireworks, no fanfare, maybe a pat on the back for all of the hard work required to get there.
For those of you who have not crossed the finish line yet, there are many possible paths, but the clock started ticking on Tuesday of this week. You effectively have until February 11th to get your ducks in a row. Moving forward the only patches for those OSes we can expect would be extremely rare cases like MS17-010 – the infamous WannaCry patch. So, let’s look at that example and find out why not having support for an OS really matters.
Sure, you can’t open a support ticket with Microsoft for issues on that OS, in general this is no big deal for most people. The big problem here is that it seems that when there is a critical vulnerability on a Windows operating system, that the problem frequently runs across all the operating systems. So when a patch is released for a specific vulnerability, bad guys can frequently reverse-engineer the patch to find out where the hole is that is being plugged. Once they know that, then they can simply look at the operating systems that are no longer supported and see if the same hole exists there – and it frequently is. Then, it is only a matter of time before the bad guys write some code to exploit the hole. That’s really high-level and basic, but that is the general premise of the risk to the environment. If we look at WannaCry, Microsoft released patches for XP, which was way out of support, to close that hole. They knew the NSA’s toolkit got left on a park bench and the bad guys got a free skills power-up overnight. Same general premise, but the toolkit just shortened the timeframe required for the bad guys to be able to exploit it.
Again, the clock is ticking. When the next set of monthly Microsoft “Patch Tuesday” patches are released, the bad guys will get busy trying to find out what they can exploit on Windows 7/2008. With the crypto-related patches released this month, if Windows 7/2008 would have already been out of support, I would expect Microsoft to have released them for Win7/2008 as well – it was such a potentially catastrophic vulnerability.
Something like this will happen again. Some critical vulnerability will be exposed at some point, and the bad guys will exploit it on non-supported operating systems. Predicting this doesn’t take some mystic seer – just some basic common sense.
So, you realistically only have a few paths that you can take from here.
So, get off of them if you can, or pay the piper for more patches, or wait and possibly pay the consequences.
For those of you with enterprise patch management tools, some vendors will allow you to purchase support to support the deployment of the patches you purchased from Microsoft. BigFix is one of those tools. For those of you not familiar with BigFix, reach out and let’s talk. Wicked powerful set of tools that go way beyond the patch – true configuration state management tools.
BigFix recently released an announcement stating they will offer paid content to complement the patches you paid Microsoft for. This content keeps things business as usual. Very affordable as well – $10k per OS flavor (Win7 or Win2008) per year. If you have 100 Windows 7 systems or 10,000, the price is the same from BigFix for the extended support content. Again, you still have to write the check to Microsoft.
Like I said earlier, this is simple math – how much risk is the organization willing to take on before they decide to open the wallet?
If you need help – let us know.
Useful Microsoft Extended Security Updates links:
Link to HCL BigFix Blog for Extended Security Updates