fbpx

Microsoft warns Windows 7 users of looming end to security updates

windows-7

Microsoft has rolled out a patch that will warn Windows 7 users that security updates will soon come to an end.

The patch rolled out Wednesday warning users of the impending deadline, January 14, 2020, when the software giant will no longer roll out fixes for security flaws and vulnerabilities. The deadline comes some 10 years after Windows 7 first debuted in 2009, more than half a decade before Microsoft’s most recent operating system Windows 10 was introduced.

Microsoft’s move to stop issuing security updates is part of the company’s ongoing effort to push users to its latest software, which stands on a greater security foundation and improvements to mitigate attacks.

Starting April 18, users on Windows 7 will begin receiving warnings about the approaching cut-off.

Windows 7 still commands some 40 percent of the desktop market, according to Net Applications. With exactly 300 days before the deadline, the clock is ticking on consumer security support.

Enterprise customers have the option to pay for extended security updates until 2023.

For years, Microsoft allowed Windows 7 users to upgrade to Windows 10 for free to try to encourage growth and upgrades. With those incentives gone, many only have the lack of security updates to look ahead to, which will put business data and systems at risk of cyber attack.

It’s almost unheard of for Microsoft to patch end-of-life software. In 2017, Microsoft released rare security patches for Windows XP — retired three years earlier — to prevent the spread of WannaCry, a ransomware strain that piggybacked off leaked hacking tools, developed by the National Security Agency.

The ransomware outbreak knocked schools, businesses, and hospitals offline.

Windows 7’s successor, Windows 8, will continue to receive updates until January 10, 2023.

Windows 10 included a password manager complete with massive password-stealing potential

 

Stealing password from codeMicrosoft has been bundling a password manager that features a dangerous flaw with some versions of Windows 10, a Google security researcher has revealed. Tavis Ormandy noticed that his copy of Windows 10 included Keeper, which he had previously found to be injecting privileged UI into pages.The version that Microsoft was including with Windows 10 featured the same bug. What does this mean? In short, it allows any website to steal passwords from you.

Keeper was included in some Windows 10 installations as a browser plugin, and it included the very same vulnerability that Ormandy had reported nearly a year and half earlier. With little more than a couple of very easily implemented tweaks, he found that it was possible to steal passwords that are stored within Keeper.

Ormandy shared details of the vulnerability on Twitter:

I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn’t take long to find a critical vulnerability. https://bugs.chromium.org/p/project-zero/issues/detail?id=1481 

 He also posted on the Project Zero page, saying:

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default. I’m not the only person who has noticed this:

https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/

I assume this is some bundling deal with Microsoft. I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (   issue 917   ). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.

Having been made aware of the problem, the developers of Keeper issued a patch within 24 hours, saying:

This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.

There have been no reports of the vulnerability having been exploited.

Image credit: Maddas / Shutterstock