It can hardly have escaped your attention that Windows 7 has now reached end of life. For companies and enterprise customers unwilling to pay for Extended Security Updates, this means there will be no more updates. The average home user who has decided to stick with Windows 7 has been completely abandoned by Microsoft, leaving them with an operating system that could be found to contain an endless number of security vulnerabilities.
But, actually, there is another option for home users, and it does not involve paying any money to Microsoft. We’re talking micropatches. Specifically, we’re talking about micropatches from 0patch. We’ve covered the work of this company in the past, including its recent fix for the Internet Explorer vulnerability.
0patch describes itself as “a microscopic solution for a huge security problem”, issuing fixes for software faster than official developers, and it has pledged to continue to support Windows 7. Following on from what it did with Microsoft Office Equation Editor, 0patch has already announced that it is going to “security-adopt” Windows 7 and Windows Server 2008.
Microsoft has — at least in theory — released the last update for Windows 7 that will be available to everyone. So 0patch is taking over. The company will use security advisories that are issued by Microsoft to determine any vulnerabilities in Windows 7 and Windows Server 2008 that need addressing, and work to produce fixes.
With Windows 7 now officially at EOL, 0patch is adopting the following approach:
- Each Patch Tuesday we’ll review Microsoft’s security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching.
- For the identified high-risk vulnerabilities we’ll inspect Windows Updates for supported Windows versions (e.g., Windows 10) to confirm whether the vulnerable code that was fixed in Windows 10 is actually present on Windows 7 or Windows Server 2008. (For all intents and purposes, such vulnerabilities will be considered 0days for these OSs.)
- If the high-risk vulnerable code is found to be present on Windows 7 or Windows Server 2008, we’ll start a process of obtaining a proof-of-concept (POC) for triggering the vulnerability. Sometimes a POC is published by security researchers soon after the official vendor fix is out (and sometimes even before); other times we can get one from our partner network or threat intelligence sources; occasionally researchers share a POC with us privately; and sometimes we have to create a POC ourselves by analyzing the official patch and working our way out towards the input data that steers the execution to the vulnerability.
- Once we have a POC and know how the vulnerability was fixed by the people who know the vulnerable code best (i.e., Microsoft developers), we’ll port their fix, functionally speaking, as a series of micropatches to the vulnerable code in Windows 7 and Windows Server 2008, and test them against the POC. After additional side-effect testing we’ll publish the micropatches and have them delivered to users’ online machines within 60 minutes. (Which by the way means that many Windows 7 and Windows Server 2008 will be patched sooner than those with still-supported Windows versions where organizations will continue to prudently test Windows updates for days or weeks before having them applied to all computers.)
Using 0patch mean that you don’t have to pay out a penny to Microsoft, but it doesn’t necessarily mean that you will be able to keep Windows 7 updated and secure free of charge. 0patch offers three service tiers — Free, Pro and Enterprise. The Free tier, obviously, doesn’t cost anything, but no Windows 7 patches are guaranteed to be released for free. The company explains:
0patch FREE will continue to be available and we’ll continue to add select micropatches to the FREE plan but we need to emphasize that 0patch FREE is by no means a suitable method for keeping Windows 7 and Windows Server 2008 reasonably secure after their EOS.
Despite the name, the Pro tier is suitable for both home and professional users and it includes access to both Windows 7 post-EOS patches and Windows Server 2008 post-EOS patches. Unlike Microsoft’s Extended Security Updates, 0patch Pro is very competitively priced — just $25.95 (or €22.95) per agent per year.
Clearly relying on a third party to secure your operating system requires something of a leap of faith and trust in a company you may be unfamiliar with. But over the years 0patch has proved its worth, and for anyone who — for whatever reason — is going to continue using Windows 7, its micropatches could represent the most cost-effective and sensible way of keeping the unsupported operated system secure.
0patch CEO Mitja Kolsek confirmed to BetaNews that “we plan to provide security micropatches for Windows 7 for three years”, adding “the condition being, obviously, that enough users are interested in the service to keep it economically sound”.
Image credit: 0patch