Patch/Configuration Management, Vulnerability Management

22% of all users still run Microsoft end-of-life Windows 7

The authors of a study comparing different commercial EDR products told SC Media they are re-testing after learning that they mistakenly tested five vendors’ endpoint protection platforms instead of their EDR systems. (Photo by Drew Angerer/Getty Images)

Researchers on Monday reported that 22% of PC users still use Windows 7, which Microsoft stopped supporting in January 2020.

In a company release, Kaspersky said the study was based on anonymized OS metadata provided by consenting Kaspersky Security Network users.

“A trusted operating system may seem fine on the surface, but if the vendor no longer supports it with important updates to the software, the system becomes more susceptible to attacks,” Kaspersky said. “When operating systems reach end-of-life, vulnerabilities will remain on the system without patch updates to resolve issues, providing cyber attackers with potential ways to gain access.”

Kaspersky strongly recommends that companies and all users update their operating systems to Windows 10, Microsoft’s latest OS. On the plus side, Kaspersky did find that 72% of all users run Windows 10 – and less than 1% are running the much older XP or Windows Vista OSes.

Using an operating system which has been declared end-of-life, and thus no longer receives security updates is akin to driving a car with a brake light on, said Oliver Tavakoli, chief technology officer at Vectra.

“The likelihood of disaster is great and yet it’s difficult to convey this to users of such systems without it appearing to to be trying to get them to spend more money,” Tavakoli said. “This would be a good place for a government or NGOs to step in to provide incentives and programs to upgrade, as it makes the entire ecosystem more secure.”

Dirk Schrader, global vice president of security research at New Net Technologies, added that public procurement policies at many government agencies quite often have no contingencies for an outdated OS, in the same way as the notion “it still works” dominates discussions when decisions are made about where to spend money from constrained budgets. In fact, government agencies themselves often push the envelope when it comes to upgrade deadlines, forcing extensions on service support from the vendor that can bring added costs.

“It will be interesting to see how this percentage is affected by the Biden administration’s initiatives over the course of the next 12 months,” Schrader said. “As digitalization efforts will require additional systems, it’s quite likely that existing ones remain unchanged. In any case, organizations still using Windows 7 are easier targets for cyberattacks because of the lack of updates and will likely face some public backlash and loss of reputation in case a data breach happens, not to mention the impact such a scenario might have on its cyber risk insurance status.”

John Hammond, senior security researcher at Huntress, said end-of-life operating systems still run on a sizable number of production systems across all industries. He said when security firms go through vulnerability assessments and audits these EOL operating systems undeniably come up as a finding.

“But when the report is handed back, the responsibility is on the organization themselves to upgrade these systems,” Hammond said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.