Windows 7 and Windows Server 2008 will reach end-of-life status in January of 2020, meaning Microsoft will stop shipping security fixes unless organizations pay for extended support. One group, however, is looking to keep both secure by issuing their own “micropatches” for both Windows 7 and Windows Server 2008 after Microsoft’s official support ends.
As detailed in a recent blog post, 0patch, a group backed by security research firm ACROS Security, has laid out a plan to develop and deploy patches for high-risk vulnerabilities in Windows 7 and Windows Server 2008 after January, 2020.
The patches will be developed based on the security advisories Microsoft posts with each Patch Tuesday for Windows 10. 0patch says that its team will determine which high-risk vulnerabilities are present in Windows 7 or Windows Server 2008 and then develop proof-of-concept (POC) tests for triggering vulnerabilities. From there, 0patch plans to develop and deploy fixes on their own. From 0patch:
Once we have a POC and know how the vulnerability was fixed by the people who know the vulnerable code best (i.e., Microsoft developers), we’ll port their fix, functionally speaking, as a series of micropatches to the vulnerable code in Windows 7 and Windows Server 2008, and test them against the POC. After additional side-effect testing we’ll publish the micropatches and have them delivered to users’ online machines within 60 minutes.
The plan sounds ambitious, but the firm is hoping it can be used as a stop-gap for large organizations who may not be ready to update to Windows 10 and want to keep their Windows 7 and Windows Server 2008 machines secure. The group is currently working on its own central management service that allows administrators to set up groups of computers and use different policies for them.
Earlier this year, Microsoft began warning Windows 7 users about the OS’s impending end-of-life date on January 14, 2020. Those still running Windows 7 on personal PCs are encouraged to move to Windows 8.1 or Windows 10, but enterprises can opt to pay for extended security support.