Guest author Michael Gorelik from Morphisec breaks down the security challenges and innovative solutions
As of January 10th 2023, Windows 7, Windows 8, 8.1, their Windows embedded derivatives, and Windows Server 2008 R2 will no longer receive patches from Microsoft. Millions of devices will now become "legacy" and create a suite of new legacy security risks.
Microsoft's 2023-Jan Release Notes included their final patches for three of Microsoft's operating systems (OS): 7, 8, and 8.1. This move is unsurprising but may still catch many IT teams off guard.
For example, although Windows 7 entered its end-of-life (EOL) phase almost three years ago, Microsoft offered business users an add-on support package called an Extended Security Update (ESU).
This "pay for patch" offering allowed organizations running Windows 7 to receive critical patches while they migrated their systems to newer OS versions.
Now Extended Security Updates for these operating systems are officially gone, without the possibility of extended support.
As Windows 7, 8, and 8.1 and the embedded derivatives lose support, another ~15 percent of all Windows computers currently in operation (as per statistics from November 2022) will now no longer receive OS patches.
Legacy Operating Systems Increase Risk Across the Software Supply Chain
Without vendor support, devices running EOL and non-supported operating systems become a continuous source of exploitable vulnerabilities.
In 2021, for example, over 17 percent of newly discovered vulnerabilities were over five years old.
Threat actors can also work back from vulnerabilities found in current OS versions to find new ways of compromising older machines. But more attackers actually wait for a patch to be released to develop N-day exploits.
Due to the iterative nature of OS development, exploitable vulnerabilities that vendors discover and patch in newer versions of Windows OS systems are sometimes found in older versions—where they will never be officially fixed.
Legacy operating systems, and the applications that run on them, also lack modern access controls. This is a significant source of breach risk. According to Microsoft's research, 97 percent of successful credential stuffing attacks involve legacy authentication. Even worse, for businesses relying on Microsoft Defender to secure Windows 8 and 8.1, from January 10th Defender will no longer support these platforms.
CISA ranks relying on "unsupported (or end-of-life) software" in first place of security bad practices.
Even if an organization upgrades all its systems to Windows 10 or newer, it’s still statistically likely that legacy devices will pop up somewhere in the supply chain. So even if your organization doesn’t run EOL systems, your third- and nth-party suppliers likely do.
The Legacy Security Challenge
Microsoft's removal of patching support for Windows 7, 8, and 8.1, the end of support for Windows Server 2008 R2, and the expected end of support for Windows Server 2012 in October 2023 illustrates the headache EOL devices create.
Businesses relying on out-of-date applications and systems have been a reality for decades.
Industries like healthcare are notorious for relying on out-of-date systems. In 2019, news that the UK's healthcare system was still running thousands of Windows XP endpoints five years after XP patching ended shocked many but surprised few.
In a 2022 survey conducted by the SANS institute, 54 percent of IT professionals working in OT and critical infrastructure organizations—including healthcare, said integrating and upgrading legacy systems was their biggest security challenge.
For many organizations in manufacturing, healthcare, finance, and education, taking legacy devices offline for upgrades is essentially impossible.
Another familiar challenge is that devices (such as an MRI machine workstation that runs on an out-of-date proprietary version of Windows) can hide EOL applications or prevent their replacement.
Hung Out to Dry
Removing support from Windows 7, 8, and 8.1 and Windows Server 2008 R2 shifts many more devices into this "never going to be replaced or patched" category.
Unfortunately, even if a legacy device has the compute to run security controls such as an antivirus system or EDR, and you can find a compatible protective solution, its scanners are extremely unlikely to be able to spot or stop modern evasive malware.
This means countless organizations relying on legacy devices have a dangerously unsecure environment, which dramatically increases their exposure to attack.
Machines running legacy operating systems are often part of the core operational backbone of an organization, running web servers, financial transactions, and other critical business applications—amplifying risk.
Since Microsoft’s end of support included embedded operating systems, critical IoT and OT devices such as point of sale (POS) systems, ATMs, medical devices, and industrial control system endpoints are also exposed.
Can You Get Effective Legacy Security?
As any cybersecurity practitioner knows, securing legacy systems is a daunting challenge. Because they lack power compared to current systems, legacy systems need a lightweight security solution.
They also need something that’s compatible with their software—both factors that rule out most of today’s industry leading security solutions such as EPP, EDR, and XDR/MDR. (Legacy systems lack basic mechanisms used by EDRs such as script scanning through AMSI.)
One solution that does offer ultra-lightweight protection and is compatible with Windows 7, 8, 8.1 and Windows 2008 R2 devices and servers is Morphisec. Morphisec Guard and Keep provide endpoint and server protection respectively for legacy environments and proactively prevent known and unknown advanced threats. Using patented Moving Target Defense (MTD) technology, Guard and Keep can run on a Raspberry Pi while preventing the most destructive cyberattacks, including supply chain attacks, zero-days, fileless/in-memory attacks, ransomware and other stealthy and evasive attacks.
Republished with Permission from Morphisec’s blog. Read the original publication