Windows 7 Users Denied Critical IE Security Patch As Microsoft Sticks To Support Blackout
For the most part, Microsoft will not be pushing out a critical patch to Windows 7 users to address a security flaw in Internet Explorer. Microsoft confirmed its plans in a statement, saying the only Windows 7 users who will received the security update are those who are paying for extended support, as businesses are welcome to do.
Let's not feign surprise at the decision. Windows 7 enjoyed a nice, long run before it was finally retired last week, a decade and a half after it first released to the public. Microsoft provided plenty of warning leading up to last day of support, including nag screens urging hold outs to upgrade their PCs to Windows 10.
The bug in question is a zero-day remote code execution vulnerability in IE. If exploited, an attacker could corrupt a system's memory in such a way that they would then be able to run arbitrary code in the connect of the current user. In other words, if a person is logged in as an administrator and falls prey to this attack, the malicious actor could take full control of their system.
Microsoft anticipates rolling out a fix to supported versions of Windows during the next Patch Tuesday roll out. Barring a change of heart, Windows 7 will not be included (save for businesses paying for extended support).
"Now that we have reached end of support, those customers without paid Extended Security Updates (ESUs) will not receive new security updates. We remain committed to helping our customers remain secure as they modernize their systems and make the move to Windows 10. While we provide long lead times for upgrades, we understand that some customers still need more time, which is why we have several options for our customers— services like Microsoft FastTrack to expedite migrations, desktop virtualization using Windows Virtual Desktop (which includes Extended Security Updates for three years), or paying for Extended Security Updates (ESUs) annually for up to three years. We will continue to work with our customers on the path that makes the most sense for them beyond the end of support date," Microsoft said in a statement.
Historically, Microsoft has made exceptions to supporting legacy OSes, though usually only in dire circumstances. For example, it opted to patch Windows XP systems when the WannaCry ransomwawre was wreaking havoc.
In this case, Microsoft said it is aware of "limited targeted attacks" leveraging the bug in IE. Though it is a zero-day exploit, it's also a much different situation than WannaCry. I fully understand that Windows 7 users might be frustrated at Microsoft drawing a hard line so close the end-of-support of date, but I'm not willing to rake the company over the coals on this decision. Windows 7 is retired, and any future pro bono support updates should be seen as a bonus, not an expectation.
Image Source: okubax (via Flickr)