Why can't Microsoft update the 'long-outdated security architectures' it says Windows 7 is based upon?
As time goes by, Microsoft seems to be making it more difficult to justify sticking with Windows 7.
First Microsoft announced it will scale back support for Windows 7 on new machines and more recently it began a campaign to denigrate the security of Windows 7 relative to Windows 10.
This week the German arm of Microsoft said that Windows 7 "won't meet the requirements of users of modern technology, nor the higher security needs of IT departments", going on to say the older OS "is based on long-outdated security architectures".
This downbeat assessment came days after Microsoft announced that Windows 10's hardened security had neutralized several vulnerabilities that were later exploited by two zero-day hacks—proactively protecting the OS without the need for a dedicated patch.
The security measures that blocked these zero-days were added to Windows 10 via the Anniversary Update patch last summer. So why couldn't these same protections be added to Windows 7 and other older Microsoft operating systems? Is this a deliberate choice by Microsoft to push users to Windows 10 or is it unreasonable to expect Microsoft to expend resources updating older OSes in this way?
Greg Iddon, security specialist at Sophos, believes it would be untenable for Microsoft to harden Windows 7's security to the same extent.
"Many of us would like to see these security improvements brought to Windows 7 and the like," he said.
"While it is almost certainly possible to port these security improvements over, the changes would likely risk breaking a number of legacy applications, and require a large amount of effort to port and maintain.
"Securing software as complicated as an operating system requires a lot of time and resources. Spreading this thinly across multiple ageing and out of mainline support operating systems wouldn't be a smart move."
Other Windows 10-specific security features—such as Credential Guard, which offers additional protection for login details, and Device Guard, which allows devices to be restricted to only running trusted software—are too deeply coupled to the architecture of Microsoft's latest OS said Windows security expert and SANS Institute Fellow Jason Fossen.
"New Windows 10 security features like Credential Guard and Device Guard are not like installing a new application or background service, but require deep changes in the kernel of the operating system. For this reason alone, Microsoft would not back port them to Windows 7."
Microsoft is also no longer adding new features to Windows 7 at this point in the OS' lifecycle, since mainstream support for the OS ended in January 2015. As long as Microsoft continues to patch Windows 7 machines against the latest bugs and vulnerabilities, it is fulfilling its extended support agreement, which will see it deliver security and reliability fixes to the OS until January 2020.
But it would be naive to assume Microsoft has no wider commercial interest in seeing users move to Windows 10, as was evident by the lengths it went to get home users to upgrade from Windows 7 and 8.
"Microsoft is moving away from selling traditional software licenses to selling cloud-based services in Azure, and wants everyone stuck on Windows 7 to upgrade to Windows 10 to help drive this business model," said Fossen.
"Microsoft wants everyone in the world to have a Microsoft Account in Azure, to log into their Windows or non-Windows devices with their Microsoft Account, and then use Azure-integrated web services like Office 365, Cortana, Outlook.com, OneDrive, Skype, and so on.
"Windows 10 is Microsoft's preferred platform for Azure, not just for the licensing income, but also because many Windows 10 features are designed around Azure services, and more Azure integration will be added every year, such as for LinkedIn."
Microsoft's messaging on the security shortcomings of Windows 7 seems targeted at business users. While Microsoft said last year that Windows 10 was being adopted "150 percent faster" than Windows 7, some unofficial figures paint a different picture, with a study by Softchoice finding that less than one percent of Windows PCs inside firms were running Windows 10.
However, businesses may not be persuaded by Microsoft's approach of stressing Windows 7's vulnerability, given many larger enterprises run security suites to safeguard their infrastructure. And while Microsoft talks up Windows 10's enhanced security, aspects have been found to be lacking in some external tests, notably Windows 10's built-in malware protection.
Microsoft did not respond to a request for comment.
Read more on Windows 10 and security
- Windows 10: The smart person's guide
- Windows 10: Microsoft faces Russian probe over claim it pushes Windows Defender on users
- Despite privacy concerns, Microsoft calls Windows 10 'the most secure version of Windows'
- Windows 10: Here's why it beats Windows 7 on security, says Microsoft
- Microsoft: Windows 7 in 2017 is so outdated that patches can't keep it secure (ZDNet)