RIP Windows 7
Updated: Aug 10, 2020
If you or someone you know still has a PC running Windows 7, you may have screen this warning screen.
It’s not quite the dreaded Blue Screen of Death, but it is a warning to take seriously.
Starting today Microsoft will offer no more Windows 7 updates (including security patches).
What does this mean? Over time your Windows 7 PC will become dangerously insecure. Microsoft will continue delivering signature updates for its built-in antivirus (Windows Secure Essentials) at least for now, but it will no longer fix bugs in the operating system or browser.
How serious is this? Some Windows bugs create devastating vulnerabilities that attackers exploit. Look at this week’s Windows 10 security update that fixed an extremely serious bug the NSA uncovered. It’s just a matter of time before similar bugs in Windows 7 are found, but next time there will be no fix.
How long do you have? Technically your Windows 7 PC is at risk starting today. But it will take a while before the next serious security bug is exposed and exploited. Microsoft delivers Windows updates on the second Tuesday of every month (Patch Tuesday) so your Windows 7 PC will miss its first round of regular security fixes on February 11. By then you should be taking steps to protect yourself.
What should you do? The only truly secure solution is to upgrade your PC to Windows 10 or retire it.
What else can you do in the short term? Until you replace or upgrade your Windows 7 computer, here are some work-arounds to reduce your risk:
Install final Windows 7 updates. Microsoft issued a flurry of Windows 7 updates on the final day of support (January 14). Make sure to install all of them.
Keep Windows Updates on. Even though no more OS updates are officially expected, Microsoft has made occasional exceptions in the past, patching an unsupported OS when an extremely dire security bug was discovered, so leave automatic updates turned on just in case.
Continue using Windows Security Essentials (WSE). For now Microsoft says they’ll continue pushing out signature updates for the WSE antivirus tool. If that’s your AV solution then continue using it, but be prepared to switch to a third-party AV product later if Microsoft changes their minds.
Stop using Microsoft web browsers. Don’t use Internet Explorer to surf the web. Because it's considered part of Windows, it will no longer receive security updates. Use a secure third-party browser like Firefox – Mozilla plans to continue supporting Windows 7 for the foreseeable future.
Continue using Microsoft Office. Microsoft will continue supporting and protecting Office products (Outlook, Word, Excel, PowerPoint, OneNote) on Windows 7. This applies to Office 365, Office 2016, Office 2013, and Office 2010. Note: Office 365 Pro Plus will stop getting security updates in January 2023.
Consider Internet isolation. If February 11 comes and goes, and you’re still running Windows 7, try to isolate that computer from the Internet. This can be done in Windows Firewall settings. You don't have to hide the PC from your home network, just the outside world. Of course this means no more browsing the web or checking email on that machine. You’ll have to reconnect to the Internet monthly to download Office updates and WSE signatures.
UPDATE (8/5/20): The FBI issued a warning that attackers in the wild are actively exploiting vulnerabilities in Windows 7 computers. They urged all US businesses to upgrade or retire those computers immediately.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.