Guys, let's think logically about this. Windows 7 has reached the end of the road. That's what we know as fact at this point. Even if Window 7 embedded continues to receive updates until next year the fact is that MS will not dedicate a lot of time and resources to update it since the Win 7 embedded market is negligible from what I understand (I work in IT for a Fortune 500 company and we have access to knowlegeable MS support staff). Even if guys who are incredibly smart like abodi manage to create a solution to inject embedded updates to non-embeded Windows 7 there is a security risk because Win 7 embedded is simply not an MS priority any more. Dont forget that it looks like most software will not be updated for Windows 7 either, so you have to ask yourself if the time and effort to maintain this for another year or so worth it? Your call of course, I'm just pointing out that you need to seriously consider other solutions at this point.
From an article in the summer I read Windows 7 still had a 10% adoption roughly the same as Windows 10 so there are still plenty of companies that simply can't afford to migrate everything. The Fortune 500 might be on the latest and greatest but not Johnny that figured he'd get a bunch of life out of his computer purchases a decade ago. Dunno how secure Windows 10 and 11 are when they actively serve you ads and collect your data. I think the reason most people on 7 stay here is cause 10 is more like a fork rather than an upgrade and we're trending sideways as Microsoft is running out of ways to make a buck.
My earlier point had to do with the risk one assumes by continuing to use Windows 7, and nothing more. There is a probability of danger by using an OS that MS no longer cares about, and trying to justify it's continued use and looking for workarounds does not change that in any way. As an example, there is an agreed upon protocol when vulnerabilities are discovered by researchers where the vendor is notified and alloted a set number of days to issue a patch before the vulnerability gets released publicly. Thus with Windows 7, you can be assured of 2 things. 1 - that MS will do nothing about the threat (except in extremely rare cases) and 2. - the vulnerability will be accesible to every script kiddie on the planet If you think that somehow applying Windows 7 embedded updates will solve the problem at least in the short term, again ask yourself how much time and effort do you think either MS or researchers will spend on securing it? Personally I cannot see any winning scenario in continuing to use Windows 7 (which happens to be my favorite os, btw) but to each his own.
So after 13 years of patching Windows 7 still has vulnerabilities? And when those gets patched, there will be new vulnerabilities? And the cycle will continue indefinitely? And if these vulnerabilities really get patched why are 13 million security softwares are for including Mocrosft's own defender. Windows have been continuously in development since past 3 decades and they still haven't figured out the vulnerabilities especially in the older OS'es like 7 and 8.1, heck even 10 is around for 7 years now. Bugs are rooted out pretty soon after the initial release of the OS, I just keep wondering what vulnerabilities are there in these OS'es that needs patching once every month.
I use many operating systems from Windows XP to 10 and Linuxes. No problems with security with any of them. Old Windowses could have plenty of security holes, but vast majority of them are completely unusable to compromise home/small business user system. The remaining are very hard to use by hackers if user is smart. Just investigate them and think about them instead of spreading FUD. For example, plenty of them are elevation of privilege, information disclosure, etc. What is the meaning of EoP security hole for someone who already works on Admin account. Zero, literally zero. From my decades of experience, I can say that almost all successful infections of typical users computers were due to their own faults or faults of corporate admins (bad system configurations) rather than the OSes. Unlike in the past (Windows XP SP1 or older), modern OSes are quite good and they are no longer security nightmare. And there are always means to make them secure (enough for regular use) if you know what you are doing and you know what are typical vectors of infection. Are you aware that new and old Windowses share lion's part of their codebase ? Patches for Windows XP in April 2019 where almost 1 to 1 identical with those for Windows 10. They were few security holes in Win10, that hasn't existed in WinXP at all, but all other were identical (check it). And think about it when you will think that different Windowses are totally different OSes. The relation between new Windowses with old Windowses is like relation between rolling release Linux with stable Linux. These are the same OSes, just some are frozen with less (or no) new features for the purpose of stability. Many users prefer stability over functionality and that is the reason why they prefer older versions instead of latest/hottest ones.
support.microsoft.com/en-us/topic/kb4522133-procedure-to-continue-receiving-security-updates-after-extended-support-ended-on-january-10-2023-48c59204-fe67-3f42-84fc-c3c3145ff28e "[...]to get security updates until January 9, 2024" The following customer base has legibility to the fourth year of the ESU program: [...] Windows Embedded POSReady 7 Windows Embedded Standard 7 they could release dx12 support, proton vk support already implemented by modders for some games. . the only things I miss is nvidia drivers past 474.11. I could not find any 52x. driver(s) for windows 7. I've googled a lot, no results for me.
As of January 10, 2023, Microsoft will no longer provide new features/technical support for Windows 7-not even for a fee! We'll miss it tremendously… but unfortunately for retrogrades, we can't turn back.
more exactly what are you missing? reddit.com/r/windows7/comments/10ke02v/comment/j5r0rjp/?utm_source=share&utm_medium=web2x&context=3 u can have anything from office (libre/ last offline office is 2013). u can have adobe cc 2018 firefox games (ff xvii remastered, GoW 2018, Elden Ring and even Valhalla all works via mods/ vk proton; Witcher 3 4.0 , cp 2077 1.6 (version without dlss launched from folder, not from gog galaxy) etc. u have an extended list of gaming working on gog with minor modifications here gog.com/forum/general/does_it_run_on_win_7_thread/post136
to exploit elevation of privilege you first have to be already running code on the victim's computer. From what I see theres two ways this usually happens: 1) installing cracks/keygens for a bunch of different games from a dozen different piracy sites will get you infected sooner or later 2) running an out of date browser or even just allowing ads and scripts on shady sites like piracy/porn if you've 1) already turned off network-facing services that you dont use like those targeted by WannaCry & have a properly configured firewall, 2) don't install programs you don't absolutely trust, and 3) don't allow your up-to-date browser to randomly open/execute things it downloads from the internet, and avoid allowing javascript on shady sites, you're doing a whole lot better than people who install the most recent windows/linux and don't follow Rules 1 & 2 above
@timis : There is no need for "proof" , it's like you're asking to prove that water is wet because you are missing the point and misunderstanding the concept. Local escalation of privilege means exactly what it says on the tin: local. First of all, I've never considered Windows to be a properly siloed multi-user system where the privileges of different users even matter, as there has been (and because of how the NT system is put together, probably always will be) literally dozens of ways to locally escalate privileges at any point of the time in the Windows history. I don't even know why they bother making security bulletins out of them since there never has been a point in time where privilege escalation wasn't possible. Windows as a whole was never really properly secured between users on the computer, especially not after they merged the NT codebase with the home editions. It simply isn't designed that way. This is why Linux has been and continues to be the #1 choice for multi-user server systems, since it was designed around multi-user "mainframe" type usage from the ground up. Linux obviously has had it fair share of LPE's too, but nothing like Windows and is much more secure in that regard. Secondly, the best way to approach security is to think that if someone has physical access to your system, you're pretty much f**ked at that point anyway. If your home and by extension, your PC, is constantly being accessed by outside actors who wish you harm, I'd say you have bigger problems to worry about. If not, local privilege escalation is not something to worry about in the safety of your own home. Thirdly, we are not talking about whether to deploy Win7 as your company's server infrastructure, but whether to use it as your daily driver, home computer, operating system. We are also not talking about enterprise deployment of Windows 7 workstations to a Fortune 500 company environment. Home users do not need a enterprise network where all the other workstations need to be connected to each other and potentially present a point of entry to your system. It is only your computer which needs to be protected from the wider internet, which is not much of a problem when done properly. This is the Spectre/Meltdown thing all over again, where the tech ""reporters"" do not understand the concept they are talking about nor the gravity of the situation and then blow everything out of proportion. I am not saying those are not real and potentially damaging bugs, I'm saying that the facts are misrepresented when reported by people who do not understand the actual research. If some nation-state level actor can potentially leverage those to, let's say, reveal a private key used in secure communications between international banks using the SWIFT protocol, then obviously it can have catastrophic consequences. But that does not mean at all that it is something that a typical personal computer user needs to worry about. If you read the papers and really understand what those bugs are about, you would know this. Quoting you, "let's let the facts speak for themselves", as to my knowledge there have been zero times identified where those bugs have been actually exploited in the wild, much less any attack which would target the home PC user. The chip makers know this too, but people get triggered if they're told that "you just don't understand, don't worry about it" so it's a better PR move to acknowledge it and say "we will fix this issue", further spreading the FUD about it ever being an actual threat to the average Joe. The only real problems are RCE's , which is again what is says on the tin: remote code execution. By definition, it is remote, meaning the ability of executing code on your computer over the network. This is the stuff which causes Wannacry ransomware breakouts and real damage to even the home users. This the thing you need to worry about. RCE's still need a point of entry to your system, obviously any software which connects to the internet and has shoddy coding can present this threat. But we are talking about the OS level here, not the software you choose to run. For someone to be able to connect to your computer, a port needs to be open in your system by a vulnerable service servicing that port to the outside internet. Excluding a bug in the network driver/stack itself, if there is no open port, no service to connect to, it is literally impossible to attack as much as it is impossible to walk through a concrete wall. At this point Windows 7 has been around for so long that the basic internet-facing services seem to be pretty much secure. And at this point, "not supporting" also means not creating any new, potentially vulnerable services to attack. Any typical home router setup also acts as a firewall between the wider internet and your computer. By default, connections from the outside internet to the ports on your computer aren't allowed unless you specifically forward those ports yourself or you are the one initiating the connection to the other party. This already greatly improves your security, since those potentially vulnerable services cannot even be accessed from outside internet. This isn't even any fancy security feature or require a router labeled with "firewall" as a marketing gimmick, it is simply how routers work. As the connection from outside cannot be forwarded to any particular computer on your network, simply because the router can't know which one it's meant for without explicitly being told that. You can obviously harden the OS yourself too by disabling any internet facing services you don't need. For example, the ransomware attacks in recent years used flaws in the print spooler server to achieve remote access. If you don't need your computer to act as a remote print server, just disable that s**t, problem solved. Even if more bugs will be found in the print server, it doesn't matter to you since the service is not running, port is not open. The same applies for any service which listens to a port or connects to the internet. If you have no open ports or system services accessing the internet, there is no vector of attack. Now here is the catch, all this actually plays in the favor for Windows 7, since you actually can disable the services you don't need and all the telemetry connecting to the internet. When the OS does not have any services which connect to the internet, you cannot be attacked from the internet, simple as that. After that, again excluding a bug found in the network stack/driver, the OS itself is pretty much bulletproof forever without any further updates even needed. In Win7 there is no Store, no Cortana, no Xbox Online Services, no news, no data collection / telemetry services (after you disable them), list goes on. By introducing these new always-online ""features"", every single one of them is also a potential attack vector. I'm not saying you aren't safe on the latest Windows when you keep up with the updates, as any exploits will be patched quickly. What I'm saying is that when you make a properly configured Win7 installation, you could pretty much leave it as-is for 10 years and still be secure. If you did the same with a later Windows version with 100x the crap of what Win7 has, you most certainly wouldn't be.
Great analysis! The only thing that I would add is a manual mode firewall like "Windows Firewall Control". Where you can screen everything and allow/deny and make rules. Problem solved. (Any 4.x version works fine on Vista and Seven, probably can work even on XP since it needs dotnet 4.0) I would avoid later versions though because it got bought up by malwarebytes and it is not the same anymore (for example you cannot block some system services anymore).
I'd suggest SimpleWall by henrypp since it doesn't control the Default Windows Firewall (which is the first thing mawlare would disable or whitelist itself through). SimpleWall is FOSS, uses WPF, has the ability to block services and also includes 1506 blocked telemetry crap IPs in the settings. It's a bit tricky to set up but definitely worth it.
February 2023's Patch Tuesday is here and it has been confirmed that you can install Embedded Standard 7/Server 2008 R2's update on regular Windows 7. For more info: https://forums.mydigitallife.net/threads/80606/ https://forums.mydigitallife.net/posts/1584892/ https://forums.mydigitallife.net/threads/45005/ I'm closing it here.