Level 12
@AtlBo may be important for you :)
Microsoft is ending support for Windows 7 and Server 2008 early next year and will also stop delivery of security patches through the normal channel. But users have an alternative to get security fixes on a regular basis in the form of micropatches.
Micropatches are bite-size code sent through the 0Patch platform from ACROS Security to correct security problems in real-time. They are applied to running processes and do not require restarting the machine or the program.
Regular patch cycle for high-risk bugs
After Microsoft ends support for Windows 7 and Windows Server 2008 on January 14, 2020, 0Patch platform will continue to ship vulnerability fixes to its agents.
"Each Patch Tuesday we'll review Microsoft's security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching."
High-risk problems eligible for micropatching are defined here and include those that are easy to exploit, are already used in attacks, flaws leading to a realistic remote code execution scenario, or those that have a patch that cannot be applied immediately.
If the vulnerable code is present in the unsupported Windows versions, the 0Patch team starts work triggering the vulnerability and porting the patch.
If tests are successful, all Windows machines will receive the micropatch within 60 minutes, 0patch co-founder Mitja Kolsek says in a blog post today.
It is unclear how fast the code will ship to end of support (EoS) products after Microsoft rolls out the official updates.
Kolsek told BleepingComputer that shipping time depends on the difficulty of re-implementing the official patch on supported binaries and how soon they can get proof-of-concept (PoC) code to test the glitch.
"The latter is usually the bottleneck, but since researchers often publish their POCs after the vendor has issued their fix this should be easier in this case than usual." - Mitja Kolsek
Micropatches will normally be available to paying customers (Pro - $25/agent/year - and Enterprise license holders). However, Kolsek says that there will be exceptions for high-risk issues that could help slow down a global-level spread, which will be available to non-paying customers, too.
To help large organizations avoid possible disruptions, the platform will have a central management service that "will allow admins to organize computers in groups and apply different policies to these groups." This is available for the Enterprise plan.
The service will permit rolling back the micropatches and will feature alerts, graphs, reports, and drill-downs. In the future, the company plans an on-premises version of 0patch server.
Extended security updates from Microsoft
Windows 7 was released in the summer of 2009 and became a huge success for Microsoft, becoming the fastest-selling operating system in the history of the company.
Microsoft provides security updates for legacy products past the end of support to customers in the Extended Security Update (ESU) program, which may cost about $350 for each computer.
The price is for a three-year period, starting from $50 in the first year of support and doubling each year for the Professional version. The price is halved for Enterprise release.
In the case of Windows 7, Microsoft will not abandon it abruptly. Apart from the ESU program, the company also provides the Windows Virtual Desktop program, which enables organizations to continue using the operating system with free extended security updates until 2023.
Furthermore, with the U.S. elections next year, Microsoft announced today that security updates will be available for free to federally certified voting systems running Windows 7. This extension ends at the end of 2020, though.
Kolsek says that 0Patch prices won't double every year and volume discounts will be available.
Windows 7 continues to be a popular operating system, just like Windows XP was before it. Its current market share is a little over 30%, according to multiple statistics. Just like Windows XP, which is still used today (above 1.5%) although its support ended in April 2014, so will Windows 7 continue to exist well beyond its extended support period.
0Patch will support Windows 7 and Server 2008 for at least one year, but the market will ultimately dictate how long security of abandoned operating systems will last, Kolsek told us.