[German]Tip for people who are still running Windows 7 SP1 and/or Windows Server 2008 R2 and want to continue securing the system. ACROS Security will continue to support these systems in 2023 and 2024 with micropatches that close known vulnerabilities.
Windows 7 SP1 and Windows Server 2008/R2 have reached their planned End of Life (EOL) on January 14, 2020 and will no longer receive regular security updates. For enterprise customers, however, Microsoft offers a paid support extension under the Extended Security Update Support (ESU) program. I had reported in the blog post Wow! Windows 7 get extended support until January 2023 about it and annually also gave hints about the ESU extension. In addition, there is the possibility to have security updates installed by means of the ByPassESU solution – which is used by some private people.
Currently, it is still unclear to me whether Microsoft will extend this ESU program after January 2023 for 2023 and 2024 (for Windows Server 2008 R2, there will definitely still be support through security updates in 2023 for certain environments). But there are apart from the Microsoft ESU solution still the 0patch micropatches, which are created by ACROS Security based on the Microsoft security updates. In the blog post Windows 7: Securing with the 0patch solution – Part 2 I described what is needed (the 0patch agent and a user account with a subscription to ACROS Security).
The offered solutions range from Free to Pro to Enterprise. Annual licenses for Pro and Enterprise are available for little money. Depending on the user account model, ACROS Security then provides micropatches that are loaded into memory by the 0patch agent under Windows at runtime and eliminate the known vulnerabilities. In the Free variant, only serious vulnerabilities are closed in the process.
I had speculated in the August 2022 blog post Will Microsoft provide ESU support for Windows 7/8.1 and Server beyond January 2023? that Microsoft might extend support for Windows 7, Windows Server 2008 R2, Windows 8.1 and Windows Server 2012 R2 beyond 2023. At the time, I had asked Mitja Kolsek, the founder of ACROS Security, if they would also support the aforementioned operating systems with micropatches beyond January 2023. At the time, the answer was that it was all still open – because ACROS Security needs the Microsoft updates to analyze the vulnerability fixes, if necessary, and then develop micropatches.
A few hours ago Mitja Kolsek contacted me directly and pointed out the above tweet. There he announces that for Windows 7 and Windows Server 2008 R2 critical security patches will be provided for two more years (2023 and 2024, until January 2025) in the form of micropatches for the 0patch agent. So you can continue to secure your systems against vulnerabilities.
The details of Mitja Kolsek's announcement can be read in their blog post Two More Years of Critical Security Patches for Windows 7 and Windows Server 2008 R2. A FAQ provides answers to the most important questions. So, from January 2020 until today, the 0patch team has developed and deployed 51 micropatches for critical vulnerabilities.
Windows 7: Securing with the 0patch solution – Part 2 – Teil 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service
0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows
0patch fixes ms-officecmd RCE vulnerability in Windows
0patch fixes RemotePotato0 vulnerability in Windows
0patch fixes again vulnerability CVE-2021-34484 in Windows 10/Server 2019
0Patch fixes vulnerabilities (CVE-2022-26809 and CVE-2022-22019) in Windows
Windows MSDT 0-day vulnerability "DogWalk" receives 0patch fix
0patch fixes all known and exploitable Windows NTLM/Kerberos vulnerabilities
0patch fixes Memory Corruption vulnerability (CVE-2022-35742) in Microsoft Outlook 2010
Cookies helps to fund this blog: Cookie settings