FBI Issues Warning Over Windows 7 End-of-Life (zdnet.com) 151
The Federal Bureau of Investigation sent a private industry notification (PIN) on Monday to partners in the US private sector about the dangers of continuing to use Windows 7 after the operating system reached its official end-of-life (EOL) earlier this year. From a report: "The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status," the agency said. "Continuing to use Windows 7 within an enterprise may provide cyber criminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. "With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target," the FBI warned. The Bureau is now asking companies to look into upgrading their workstations to newer versions of the Windows operating system.
Unpatched systems may be vulnerable, news at 11 (Score:2, Redundant)
Thanks FBI.
Re: (Score:2)
Re: (Score:2)
Well, you know, unless MicroSoft caves on some particularly bad problem again.
You mean, like the particularly bad problem of shoving their new browsers down people's throats?
For Microsoft, security failures are profitable! (Score:2)
Windows 10 is possibly the worst spyware ever made. [networkworld.com] "Buried in the service agreement is permission to poke through everything on your PC."
Is Windows 10 the worst OS ever created? Some of the MANY very negative articles:
Windows 10 is possibly the worst spyware ever made. [networkworld.com] "Buried in the service agreement is permission
FBI author apparently has NO understanding. (Score:2)
Quote from the 1st page: "Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system."
That statement indicates that whoever wrote the PDF file has NO understanding of the situation.
Sorry, in my parent comment, I repeated the link to the Windows 10 Worst Spyware article.
Re: (Score:2)
I think many people conflict security with privacy. What everyone is this thread is upset about is the loss of privacy. Microsoft gathering telemetry is not a security issue (it works as intended) it's a privacy issue.
You can be secure and not private. Microsoft wants to take your information, they want to take your privacy. Security is a different matter.
Re: (Score:3, Insightful)
Insofar as you use your computer for purposes you'd want secure, such as online banking, privacy equals security to large extent.
Microsoft's telemetry has every ability to scan your machine for things like passwords opened in password banks, capture your keyboard inputs, including those on the login pages, etc. Sure, they're not using this information against you right now, unless you're an enemy of the state.
Which doesn't mean that it won't be used against you in the future, be it a national government wit
Re: (Score:2)
They recently found a vulnerability with the print subsystem that dates back to NT 3.51
Sigh. (Score:3)
"The Bureau is now asking companies to look into upgrading their workstations to newer versions of the Windows operating system"
Support ended in January and only NOW are you looking at upgrades?
That's your problem, right there, and from the horse's mouth - the people trying to tell you to upgrade are no further ahead than those people they're telling.
Re:Sigh. (Score:4, Interesting)
no further ahead than those people they're telling
I'll bet that the FBI still has some XP systems sitting around.
Re:Sigh. (Score:4, Insightful)
I have one NT 4.0 still doing its appliance job. As an admin, I find Win7 more professional and under control. It is solid.
Recall Windows 8, to get picture how priorities have changed since - Win 10 user interface is ever changing, eternally scrollable crap.
Today I had to resend couple of invoices, which I do once every month. Got web interface of Outlook 365 to handle that. It used to be so simple - find last mailing in Sent, make a copy into Drafts, edit to your pleasure, send. Not anymore. Evolution of MS mail client is such advanced, as to make items in Drafts uneditable, even if you have figured out how to copy your item into Other folders, from then Drafts. They are rock solid, no way to change. Again, in Drafts. You have to go compose new message, then copy and paste your subject, receiving party, your content, each separately. Like a child.
I will upgrade to Win 10 for my client. My own Windows instance is going to stay Win 7 as long, as possible. Insecurities, they are everywhere - just newer ones for Win 10.
Re: (Score:2)
The major issue you'll have coming up shortly is the lack of support for TLS past v1.2.
Who cares? Nobody uses Schannel to begin with.
Any non-Microsoft browser includes its own TLS stack. Firefox NSS, Chrome OpenSSL or some such. Ditto for most third party software.
most have already lost the ability to connect to many Microsoft/Google ecosystem out there and soon that will be ANY online system.
Completely false.
Re: (Score:2)
Fry's was running WinXP a year ago in their stores.
11 years old. (Score:5, Insightful)
Re: (Score:3)
Your company should consider moving to an IT upgrade cycle at least as frequent as your vehicle cycle.
MOD! PARENT! UP!
First time a car analogy could actually be useful.
Of course, cars get more mechanical wear and tear than servers (or software) do, and there are some very direct safety implications of said wear and tear. But still a valid analogy to convince the C-Suites of the need of allocating budget for replacement and lifecycle.
Re:11 years old. (Score:5, Funny)
First time a car analogy could actually be useful.
That's not true. And somebody, somewhere, has a car analogy to illustrate why.
Re: (Score:2)
California is still using the DMV software from decades ago. It sucks, but the fact that it's still viable is fairly amazing. AFAIK it's all still on an IBM mainframe of some sort. I've never worked there, thankfully. I have worked for the county of Santa Cruz, which was an IBM shop with real glass terminals at the time, though they were generally next to PCs at my site... Which were also IBMs :)
Re: 11 years old. (Score:5, Informative)
It's not unusual for a machine shop to have tools that are 30 years old.
Clearly old hardware deserves and old operating system. And if your tool, a computer, is not under and new demands it will perform satisfactorily for many years. Buying a More powerful computer doesn't necessarily translate into higher productivity of your requirements are not cutting-edge.
Re: 11 years old. (Score:5, Interesting)
My old job had several CNC machines that were sent programs via an ancient Mac SE. Imagine doing CAD work on a 9" monochrome screen. The problem was the Mac had some custom scripts that translated the CAD output to the machine code. Easier to buy eBay parts than upgrade that mess.
Re: (Score:2)
Re: (Score:2)
Windows XP was really liberal in how hardware drivers could access the kernel, there are a ton of MRI machines out there that will never work with anything else.
There is a sawmill in Oregon that still runs on punch cards.
Re: (Score:3)
It's not unusual for a machine shop to have tools that are 30 years old.
Yes... but your band saw probably isn't nearly as susceptible to ransomware as Windows 7 is. But, hey, if you just need a very basic computer that is disconnected from the internet, Win 7 is great and the FBI isn't talking about you.
Re: (Score:2)
Re: (Score:2)
susceptible to ransomware as Windows 7 is
Ransomware isn't much of a threat if you have even a basic backup plan.
Re: 11 years old. (Score:2)
Re: 11 years old. (Score:4, Funny)
But it is unusual for people to try to slip in bar stock designed to damage older tools.
Re: (Score:3)
It's not unusual for a machine shop to have tools that are 30 years old.
Yeah but then how are tool makers going to sell them new ones? Tools need to last about 5 years, with forced obsolescence at 10.
Tools aren't like hit songs where you can keep collecting the royalties for a century or more! Wait... Can we do that? Can we make you rent your tools? Adobe make it work...
- Big Tool Mfg. Co. CEO Richard Head
Re: 11 years old. (Score:4, Insightful)
Yeah but then how are tool makers going to sell them new ones? Tools need to last about 5 years, with forced obsolescence at 10.
That's how phone marketing works. Mainly because we let them do this to us.
Tools aren't like hit songs where you can keep collecting the royalties for a century or more! Wait... Can we do that?
SaaS is great for business, bad for consumers. It's all designed to empty our bank accounts.
Re: (Score:3)
> Tools aren't like hit songs where you can keep collecting the royalties for a century or more! Wait... Can we do that? Can we make you rent your tools?
Don't worry, scummy John Deere already claimed farmers don't own their tractors [wired.com] under the DMCA. General Motors claims locking people out helps innovation! /s
Re: (Score:2)
Re: (Score:3)
Machine shop tools are unlikely to get a ransomware virus that will lock them until you pay bitcoins to a scammer to unlock your shop.
And Windows 10 will be the new target, not changing the fact that a computer is more work to use and secure.
Re: (Score:2)
Re: (Score:2)
IT needs to help us mitigate the risk while considering our particular business needs. Otherwise, I'll do their job for them, and not as well.
Indeed. When corporate IT departments get above themselves, forgetting what they're there for and mandating enterprise-wide policies that make their lives easier but don't necessarily help the staff they are there to support, it's really no better than when a vendor like Microsoft tries to impose new ways of working that aren't in its customers' interests. Corporate IT's job is to tell the vendor to take a hike at that point, not to ask, "How high?"
Re: (Score:2)
Re: (Score:2)
If it makes you feel any better, I once had to explain to a client's law firm why sending confidential details via unencrypted email might not be a great idea. Maybe they were confident that if anything leaked, there would be sufficient legal remedy available not to worry about it, but that seems like a rather optimistic approach compared to just having proper security in the first place...
Re: (Score:2)
Result is, half the people with computers still running windows XP can't use their versions of outlook and whatever to access the mail as it uses some newer tls standard...
I hate the Richard that came up with the idea, all because M$ promised them there's no cost to it. (now, of course. In a decade's time...) Ugh.
Re: (Score:2)
My former client was still using Windows XP SP3 for their old specialized printers. My dentist finally dumped it a few years ago, but was still using W7 as of Feb. 2020. :/
Re: (Score:3)
Plenty of companies took a very long time to upgrade from XP to 7 and then they saw the shitshow of 8 and stayed with 7. I'm still using it for a desktop but eventually plan to move it to a VM.
Re: (Score:2)
Some say it runs better as a VM. Golden images, and secure the data, which is what ransomware is really all about.
Re: (Score:2)
Maybe you run a small business and don't want the risks that come built into Windows 10?
The high-end editions of 10 are very different to the lower-tier ones in this respect, and Pro is now a lower-tier edition.
It is entirely possible that for some businesses, staying on 7 for now and taking other steps for security would be a reasonable policy.
Re: (Score:2)
Re: (Score:3, Informative)
That's the thing, though: it's not about "milking value". It's about the new version being actively worse in important ways.
If you deal with any sort of confidential data or work to important deadlines, how can you possibly do so responsibly (not to mention comply with legal and regulatory obligations in many cases) if you're using a system that can be changed without your consent and that uploads data from your systems in ways you can't turn off?
In Enterprise world, these are non-issues, because even Micro
Re: (Score:2)
for small businesses and independent professionals, the traditional market for the Pro edition, 10 is a train wreck for the same reasons it always has been.
For all the reasons, plus more reasons. Microsoft has really screwed the pooch with this forced update crap. If they were more competent and/or the job was easier (because the multitudes of PCs do still vary quite a bit in behavior) then perhaps they could get away with it without alienating people, but the fact that they've had so much trouble with the updates causing problems is the real clincher that will irritate people into seeking other solutions to their computing needs.
Re: (Score:2)
Re: (Score:2)
I do run a small business, and I don't want the risks. I use LInux.
Re: (Score:2)
So do we. Also Apple gear, and various mobile platforms. But sometimes, you need to run software that is Windows-only, or if you're in software development maybe you need to build and test something you write yourself on Windows, so you can't always just ignore Microsoft's platform either.
So then you get into whether you have to have 10, and if so, how you secure it properly, i.e., under your control and not Microsoft's. The fact that doing so means hitting a fast-moving target and requires external measure
Re: (Score:2)
I still use my Win7 PC I got for $100 from Weirdstuff Warehouse, works great. I have the Windows Firewall activated but that's about it. I have to admit I don't keep up with computer security stuff that much, soooo much news of systems getting hacked it becomes like car crashes. So many occur almost none are news exception of really bad accidents that block the freeways for hours.
I also have couple XP, one for online the other is not. This has various programs I probably cannot put on newer PCs. Even if I
Re: (Score:2)
It's hard to believe that Windows 7 is 11 years old and companies are still using it.
It's unusual to use technology that works?
How are the wheels on your car, or the knife in your kitchen drawer? Obtuse much?
Re: (Score:2)
My buggy-whip is still working properly despite all the teasing from the "you're a Luddite" crowd.
Re: (Score:2)
My buggy-whip is still working properly despite all the teasing from the "you're a Luddite" crowd.
And congrats to you and your dead horse?
Being anathema to change isn't a reason for non-change, and change itself doesn't preclude you from doing what you have done.
That sounds like two obtuse logics rolled into one.
Re: (Score:2)
Everything has it's place. If you have an appliance that isn't networked, what does it matter how old the software is? You don't fix what isn't broken.
If you have a 20 year old car that's paid off and you only use it for going to the doctors and the grocery store, it has 80k on it, does it really need replacing? I would say absolutely not because it's still running perfectly fine while full filling your needs.
P.S. That 20 year old car is also a 96' Chevy Camaro. The old guy that owned it bought it just befo
Swapping out a car is much easier. (Score:2)
You get the new car, and you drive it around. Done.
When you upgrade your systems, your business workflows break all over the place. If you just "jump in" to the upgrade your whole business can crash into a brick wall! You have to upgrade it a piece at a time with the option to roll back really quickly if suddenly something unexpected breaks, and then you need to pull people off their regular work to investigate why it broke and re-design whatever-it-was, sometimes rifling through scripts (or whatever) th
Re: (Score:2)
That's not quite fair, is it? If your company acquires a fleet of ... let's say Mercedes in 2000, they might very well choose to replace worn out vehicles with a newer year but same model Mercedes - a car that is essentially the same as the old one but with improved safety features, a small change to the angle of the neck rest etc.
Patches. Updates. Not a whole new look for the car.
Re: (Score:2)
When I worked for a physical security VAR one of my last projects in 2013 was to move the local Coast Guard base's access control system off Win NT 4.0. We still had a customer at that time running their AMAG access control system on Win 98 because there was no way to get the database off the old machine, and the data center for one of the area's largest hospitals had their Lenel system on NT 4.0 for the same reason. (The AMAG machine finally died the next year when it couldn't boot after a power outage,
Re: (Score:2)
I'm still waiting for the FBI Windows 10 warning (Score:3, Insightful)
If the Chinese released something like Windows 10, there would be widespread panic, fear and confusion. And probably a lot of orange tweets.
I tried it for 2 days, got a bunch of updates, hated it, and installed Linux.
Re: (Score:2)
WARNING (Score:5, Insightful)
If you don't upgrade to Windows 10, we won't have access to all the data on your system through Microsoft and their Telemetry system, and then we won't be able to keep you SAFE.
This is why I still use Vista (Score:3)
Re: (Score:2)
Vista is just Windows 7 with less attention paid to it and more memory consumption. There's no way it's more secure than 7.
Also old Windows updates have been disabled (Score:2)
Upgrading is overrated. (Score:3)
Malicious documents, Internet Explorer (Score:2)
Phishing is common, of course. It's very much not the only threat. I see many malware documents and malware links coming in email each day. Pdfs, zip files, and Microsoft Office documents. If it's a .xls or .doc file rather than .xlsx or .docx, it's probably malware.
As you mentioned, various JavaScript-borne attacks are big. You seem to think/imply that old unpatched copies of Windows are immune to web-based attacks? Quite the opposite. When you say "hacks these days from web ads", that means "exploit In
Delicious documents, I-single-E (Score:2)
(Micro-rant:) The natural human assumption is that newer is better nearly 100% of the time, but experience has shown me it's closer to 60% as no one seems to consider the unintended consequences of the new. (Granted, I'm speaking more generally, not just about software.) Every few months on Slashdot you see the "new" is even killing people now as we rely more and more on the software gods.
Re: (Score:2)
> The natural human assumption is that newer is better nearly 100% of the time, but experience has shown me it's closer to 60%
Newer is certainly not automatically better. Though of course engineers try to make things better, not worse, with each version.
This discussion is not about better. Maybe somebody likes Windows 95 because it's simpler. That's better, by their definition of better. Fine. We're not talking about better.
Each month, Microsoft releases about ten fixes for various security issues.
Re: (Score:2)
I have a database with THOUSANDS of Windows 7 vulnerabilities.
Well, good; you're the person to ask then (this is not an argument, it's a genuine question): Can an attacker remotely enter a (say, Windows 7) machine without the end user's involvement, as over a network?
Re: (Score:2)
Yes.
The mean time to compromise for unpatched Windows instances launched in AWS is measured in *minutes*, not even hours.
Assuming the machine is doing something on the network, has a port open in or out - if it's shutdown, perhaps has the power supply removed, it's significantly safer.
Re: (Score:2)
Re: (Score:2)
> Why would an incoming port be open? That sounds dangerous to me (though I'm a coder, not an IT guy).
I take it you don't do web apps?
Or ever work on remote machines?
For "internet connected" to mean anything, you have to have ports open - in, out, or both. If you're making web requests out, I can put a malicious payload in those. Maybe on a web page or in an email. If you're providing any kind of service - NTP, web, mail, DNS, whatever, I can send exploits that way.
For example there are exploits again
Re: (Score:2)
Re: (Score:2)
Only if "the typical user" doesn't use the internet.
No web pages, no emails.
Re: (Score:2)
Re: (Score:2)
Yep, it opens a connection, retrieves the malware-laden page from the unpatched WordPress site, tuen closes rhe connection. The dropper then opens a connection to dowoad the stage 2 malware.
Re: (Score:2)
Re: (Score:2)
You seem to want to believe that Microsoft releases fixes for several security issues on the second Tuesday of every month just for fun - that OS-level security problems don't matter.
Yes. See the second half of this post:
https://slashdot.org/comments.... [slashdot.org]
Re: (Score:2)
Just to give you a taste, here are the 20 security holes in Windows 7 that Microsoft patched on the February 2020 patch Tuesday. (You'd have to buy this patch). It was a typical month, with 20 security holes fixed by the February patches.
https://www.tenable.com/plugin... [tenable.com]
Two are particularly interesting. One is in the media playing library. With that, playing a video (such as on a web page) let's the attacker run arbitrary code on your system. The second is a privilege escalation to kernel mode. Combinin
Re: (Score:2)
the ability to reformat your hard drive, when you play the video.
What if I WANT to reformat while watching a video? Sounds like a feature to me! Sincerely, Microsoft Market Department.
:)
Thanks for the back-and-forth; I learned some stuff! On the other hand, hackers aren't bothering to attack my XP machines.
Re: (Score:2)
Let me make it even simpler:
If people can use the machine, people can use the machine. And I am people. If people can use it in some way, I can use it - ans probably not in the way you intended.
Ps you mentioned you're a developed.
Can you do me a favor and read over the OWASP top ten one more time. I've been doing dev for about 20 years, developing security-related software and systems. It's good for me to be reminded of those things from time to time.
Re: (Score:2)
Where do you plan to get Win 7 patches? (Score:2)
> Nobody is talking about unpatched instances of anything
Where do you plan to be getting Windows 7 patches?
Not from Microsoft.
Microsoft posts them every month (Score:2)
Microsoft posts a list of vulnerabilities every month. You don't have to wait for me to reply, you can get that liat at the Microsoft Security Update Guide. It's posted on the second Tuesday of each month. It's called "patch Tuesday".
You asked for "after January 2020â, so you'd start with February 2020. February was a typical month, with 20 security holes patches in Windows 7 (but now you have to buy the fixes).
Here are the 20 security holes in Windows 7 that Microsoft patched on the February 2020 pa
Re: (Score:2)
My final comment there waa dickish and I apologise for that.
In text form, there is of course no tone of voice, so I might well have missed the tone of voice you intended. I read your posts as argumentive. Further, I read you as basically arguing that Windows never has any security issues worth worrying about (assuming the user doesn't do really dumb things).
By way of example, the patch Tuesday you asked about, the one immediately after January 2020, covered 99 vulnerabilities. Patch Tuesday happens like th
Re: (Score:2)
I should say 8.0 or higher are vulnerabilities that are really bad *even all by themselves*. Lower-scored ones are typically combined to create a devasting combination.
Re: (Score:2)
This is a distant problem in my world; we write stuff and it runs, untouched, for 25+ yea
Garbage in, garbage out? Physical damage out? (Score:2)
Obviously change matters. Making the operating system read-only, as Android does, has some benefits.
However, SCADA vulnerabilities are a big friggin deal.
You may have heard of Stuxnet. The attackers caused the Iranian nuclear centrifuges to physically destroy themselves, by using malware that told them to spin to too fast. The firmware in the centrifuges wasn't being updated, the interface software was probably very stable. What could the designers have done differently?
You probably spend your time tryin
Re: (Score:2)
Ask every 6 months and the answer will be "yes, and it's even easier now"
Re: (Score:2)
Newer is certainly not automatically better. Though of course engineers try to make things better, not worse, with each version.
Except of course where DRM is involved, where they spend most of the time making things not work. And wherever money is involved, because "making things better" means to make more money (I.e. better for the developer, not the end user.) Those two exceptions rarely come up though, right??
Re: (Score:2)
If you know this, lots of people know this. The natural human assumption is not that newer is better nearly 100% of the time. History is basically littered with conflict that revolves around newer vs older.
Re: (Score:2)
The natural human assumption is not that newer is better nearly 100% of the time. History is basically littered with conflict that revolves around newer vs older.
I guess I accidentally exaggerated; it seems that's the mode today, with "vintage enthusiasts" being outliers. I have to look no further than this website's home page to see a kerfuffle over Tesla's in-car touchscreen, for example.
FBI is directing warning in wrong direction (Score:3)
Re: (Score:2)
^ This.
Windows 10 makes me look back on Vista and Me with fond memories...
We're no longer maintaining... (Score:2)
... backdoors.
Or disclosing vulnerabilities.
Not that we were disclosing vulnerabilities in the first place.
Not Windows 98 (Score:2)
Windows 7 is not Windows 98. It was understandable that Microsoft would not be able to keep patching 16-bit and 16/32-bit operating system in perpetuity. But Windows NT, XP, 7, and 10 are all just Windows NT.
For the sake of national security, Microsoft needs to switch to an annual subscription sales model for its operating systems the way it is already transitioning to for Office.
Re: (Score:2)
Windows 7 not really EOL because W7 ESU (Score:3, Interesting)
Playing devils' advocate for a moment here: (Score:2)
Re: (Score:2)
Credible comments welcomed.
HUUR DURR M$ BAD (Score:3)
Saying "Linux" is disingenuous as "Windows" is still supported too.
Speaking of Linux, nowhere does the FBI say you must start using Windows 10, only that you stop using Windows 7. Change to an updated version of BSD for all they care.
Re: (Score:2)
Comment (Score:2)