Windows 7: Don’t cry for me

It may have gone unnoticed with the January 14 end of support deadline for Windows 7, but Microsoft’s 10 year old OS, had one last Patch Tuesday update. And , surprise, surprise, this included a critical security update for the CVE-2020-0611, that the NSA reported is a remote desktop vulnerability, which affects Windows 7 and newer operating systems.

In the past, Microsoft has remained committed to releasing the most critical security patches for unsupported operating systems, such as the Windows XP fix for the WannaCry attack, that afflicted systems around the world, including legacy hardware at the NHS. In February 2018, the Lessons learned review of the WannaCry Ransomware Cyber Attack report for NHS England reported that 80 out of 236 hospital trusts across England were affected; 595 out of 7,4545 GP practices (8%) and eight other NHS and related organisations were infected.

Organisations have had several years to migrate to Windows 10, which was released in 2015, starting the five year countdown to Windows 7 end of support. But, businesses do not generally shift from something that works well – like Windows 7 – to a new operating system, just because Microsoft has released a new version. Migrating large PC estates can take years, as older PCs are replaced with new ones, running the latest Windows OS. Certain applications and embedded systems, cannot easily be migrated to the new OS, and remain on an unsupported operating system, leaving them vulnerable to cyberattacks.

Could something like WannaCry happen again, with a vulnerability impacting legacy Windows 7 machines? Certainly every Patch Tuesday from now on will list critical vulnerabilities in Windows 10. How many of these also impact Windows 7?

“WannaCry was a clear example of the dangers that businesses can face when they are using software that has reached end of life,” says Ian Wood, Senior Director, EMEA Cloud & Governance Business Practice at Veritas.

Critical to health

Looking at the health service, due to device impact and criticality to clinical workflows and patient care delivery, many unsupported devices cannot simply be disconnected from clinical networks without severely disrupting operations. For example, MRI machines can be operational for over 20 years, far outliving their operating systems. The more devices there are running on unsupported operating systems translates into larger attack surfaces and indefinite exposure to cyber risk.

Data pooled across several hospitals from healthcare cybersecurity specialist, Cynerio, has found that radiology departments are most affected. Its research found that 40% of all connected medical devices run on Windows and almost 45% of devices like MRIs, CTs, and X-Rays run on Windows 7. These machines have particularly long life cycles. From this data, Cynerio estimated that over 20% of all medical devices run on the unsupported Windows 7 OS. Unsupported devices cannot be fully secured unless taken offline. “No device is risk free, especially network-connected devices. Medical devices are the weakest link: they are not designed with security in mind, have extensive lifecycles, and often cannot afford any downtime,” says Leon Lerman, Cynerio’s CEO and co-founder.