Why Windows 7 isn't safe in today's security landscape

If there's one theme that has defined the computing era, it's that technology changes very rapidly. This has become even more true as the internet took central stage in the last decade or so. This means that older software and hardware that might still be perfectly usable for its original application may well have been designed well before some of the latest significant developments, and particularly without knowledge of the most recent security risks. This is very true of Windows 7, which is approaching ten years old and will be losing Microsoft support in January 2020.

When Windows 7 was launched, ransomware attacks as epitomised by WannaCry in 2017 weren't significant. The first ransomware attack dates back to 1989, distributed via floppy disk, and the internet gave the idea its perfect platform so that it began to grow in the 2000s. But it wasn't until 2011 that ransomware came of age, with 60,000 new strains detected in Q3 2011, rising to 200,000 in Q3 2012, then hitting 750,000 in Q1 2015 and 2.25 million in Q4 2017. The most popular ransomware code from the 2011-15 era was CryptoWall, using a Java vulnerability to infect computers via domains belonging to Disney and Facebook.

A migration to Windows 10 need not be painful, and the benefits will far outweigh the work involved. Learn how and why to migrate in IT Pro's guide.

Download now

Windows 7 just wasn't architected to guard against attacks of this nature, because they weren't an issue at the time of its inception, so for example it has a compromised version of the Server Message Block network file service installed as standard. Threats have moved on since then, too. If you can afford to lose all your files (or have a recent backup), you can recover from a ransomware attack by wiping your hard disk and reinstalling everything again, then reinstating your files from a backup that predates the ransomware's arrival.

But now there's an attack that can withstand even this drastic measure, because it infects the UEFI BIOS itself. Called LoJax and created by Sednit, the infamous Fancy Bear Russian hacker group, it works like a rootkit and exploits a vulnerability in Computrace LoJack. Rather ironically, LoJack is software designed to help trace a stolen computer and remotely delete or block files when this has happened. The LoJax exploit injects malware into the UEFI BIOS, which then loads compromised binaries into the Windows OS at boot time. This can then be used as a trojan to download further malicious code to the system.

Since LoJax infects the UEFI BIOS, it doesn't get deleted even if you wipe your main disk's operating system, reformat the primary storage, and reinstall everything. It will simply reload itself from the UEFI BIOS on boot and be up and running again on your new, allegedly clean system. This is because the UEFI code resides on a firmware chip on the motherboard, not a peripheral storage device. However, UEFI was still only being developed when Windows 7 arrived. So whilst you can install Windows 7 on a UEFI-based motherboard, you can't do so with Secure Boot Mode enabled, which helps prevent this kind of attack. So a Windows 7 system is naturally going to be more vulnerable.

There are ways to make a system that is even more resilient to this kind of attack, such as HP's Sure Start Gen4 self-healing BIOS. This detects changes to the BIOS on boot and will prevent malicious code from running. Even if somehow the UEFI BIOS does get infected, Sure Start will detect it and reinstate a clean copy of the BIOS to reverse any compromises that may have occurred. It also includes Runtime Intrusion Detection that can detect changes in real-time as they occur, protecting virtual machines as well. A PC with Sure Start Gen4 is therefore impervious to BIOS-level attacks, making upgrading to a new Windows 10-based system including this facility essential for full security.

A lot has changed since October 2009, when Windows 7 first arrived. At that time, the computing world was still very much focused on desktops and notebooks. Although the first iPhone had been launched a couple of years earlier and was already on its third generation by 2009, the smartphone was still at the early-adopter stage, rather than the device in everybody's pocket that it is today. Similarly, Amazon was already showing dominance for online shopping, but the landscape of other huge internet companies that use big data to provide service efficiencies had not yet built up.

Now, smartphones are ubiquitous, and more people access the internet on mobile devices than with desktops. According to Net Market Share, nearly 58% of users are now accessing the internet via mobile or tablet. Similarly, behemoths like Uber, Netflix and Facebook have placed online data centre stage. Social media platforms encourage us to make huge chunks of data about ourselves publicly available, which can be used to attack our computing devices by providing suggestions for guessing our password reminders. Alternatively, "reverse social engineering" uses publicly available information to make impersonators appear legitimate, fooling the victim so that they can be lured into accidentally installing malware, or for full-scale identity theft and fraud.

With traditional ransomware profiles now well known, malware has moved on too. Instead of holding your files ransom in return for Bitcoin payments, the software payload has shifted to installing cryptocurrency mining software surreptitiously and using your computer to earn the virtual money directly without you even realising what is going on. McAfee claims this kind of malware has grown 4,000% from 2017-18, reaching nearly four million detected devices by Q3 2018.

The IT Pro guide to Windows 10 migration' explores how to plan your migration from Windows 7 and ensure it's a successful transition. Download it here.

Download now

This rapid pace of change shows no sign of abating anytime soon and will probably increase. The plethora of mobile devices has made them a valuable target for security attacks, with over 1.5 million new threats every quarter, again according to McAfee. Internet of Things (IoT) devices are now proliferating home and business alike. Gartner predicts that the installed base of IoT devices will have nearly doubled in two years by 2020, from 11.2 billion units in 2018 to 20.41 billion units in 2020. So far, McAfee only sees 25-45,000 new IoT attacks a quarter. But with the notoriously poor level of security on IoT firmware and operating systems, particularly cheap generic wireless security cameras, the problem is only just starting, and the trend is upwards.

There's no denying that Windows 7 was one of the "classic" versions of Microsoft's flagship operating system. It modernised the familiar user interface of Windows 95/2000/XP without forcing a new way of working and rightfully has outlived the poorly considered Windows 8 and 8.1 that attempted to replace it. But a lot has happened over the last decade of rapid computing development, and its day is now done. A new system with Windows 10 can provide much greater security from today's threats. It was designed from the ground up with UEFI in mind, so works with the highest levels of BIOS-level security enabled. It will also continue to be patched and developed, with Enterprise editions receiving extended support until 2029. So the time is now to end Windows 7's decade of rule, and give your company another ten years of security to look forward to.

Discover more about HP Elite PCs and Windows 7 to Windows 10 migration


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.