|
MS-DEFCON 3:
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.
|
-
Yes, there’s a crack to enable extended security updates on all Win7 machines. No, you shouldn’t count on it.
Posted on Comment on the AskWoody LoungeThis topic contains 65 replies, has 27 voices, and was last updated by
EP 1 week, 4 days ago.
-
Martin Binkmann on Ghacks.net has some cracking news about the Win7 Extended Security Updates — the ability to install Win7 security patches from Mic
[See the full post at: Yes, there’s a crack to enable extended security updates on all Win7 machines. No, you shouldn’t count on it.] -
-
-
anonymous
-
-
-
In Jan 2020 , the licensing agreement (EULA) that we all ‘agreed to’ in order to use W7 on a device, also ends. Therefore, the EULA will have no relevance after EOS.
In the W7 licensing agreement, the section on ‘Scope of the License’ states that you can not make changes to the OS that Microsoft does not agree with and you can not distribute your changes to others. So, legally you could make changes to W7 after EOS. If that is correct, there is nothing illegal about installing this crack after Jan 14, 2020. Microsoft can not use any online access it may have to W7 devices to remove the script or try to close the hole because they no longer have legal access (I am speculating).
I understand that the ESU is a separate licensing agreement, but the original W7 licensing agreement remains in effect for these clients. That means that the W7 licensing server will have to be operational until the end of 2023. It does not go away.
2 users thanked author for this post.
-
In Jan 2020 , the licensing agreement (EULA) that we all ‘agreed to’ in order to use W7 on a device, also ends. Therefore, the EULA will have no relevance after EOS.
Why do you believe this?
(It’s certainly not stated in the EULA.)
-
-
Because the contract obligations will have been met. Contracts end.
Open-ended licensing arrangements with no specified term don’t “end” because “the contract obligations have been met.”
From the EULA:
“By using the software, you accept these terms. If you do not accept them, do not use the software.”
There is no other “termination” clause specified in the licensing agreement that you agreed to.
-
The EULA merely states the terms and conditions in regards to the client’s obligations and Microsoft’s obligations under the licensing agreement (i.e. using the license). W7 has a finite life cycle where Microsoft clearly states that the service ends Jan 14,2020. Unless the client enters into an amendment with Microsoft to continue support (e.g. ESU), Microsoft (and the client) is no longer legally bound to the original contract.
FWIW: I do not care for a ‘crack’ that is basically there to skirt paying for a legitimate service (ESU). If you want ESU and you qualify for it, then pay for it or move on.
-
This reply was modified 2 months, 3 weeks ago by
NoLoki.
-
This reply was modified 2 months, 3 weeks ago by
-
W7 has a finite life cycle where Microsoft clearly states that the service ends Jan 14,2020. Unless the client enters into an amendment with Microsoft to continue support (e.g. ESU), Microsoft (and the client) is no longer legally bound to the original contract.
There simply is no other “original contract” other than the EULA.
Microsoft is not terminating the EULA, nor are they stating that you cannot continue to use Windows 7. They’re terminating support and technical services for Windows 7, per their one-sided, non-contractually-obligated commitment to a 10-year period of support.
1 user thanked author for this post.
-
-
-
-
This is pretty fundamentally flawed reasoning, for a few different reasons.
Firstly, an EULA is a legal contract. In a general legal sense, the terms of a contract remain in effect in perpetuity if there is no agreed-upon end date. If you disagree with this assessment, fine, but you’d have to bring the contract before the court in order to determine otherwise.
Second, if Microsoft was actually terminating the Windows 7 EULA on January 2020, then that would actually mean that nobody would have any further right to use the software. Expiry of a license would eman mean you can’t use it any more. It isn’t yours. Section 8: “The software is licensed, not sold”, remember?
Third, Microsoft isn’t ending support for Windows 7…. they’re just charging for security updates that were previously free, and free support channels are going away. That’s it.
I get that you really want to believe you’re correct in your beliefs…. but you’re not. Don’t believe me? Consult a lawyer. He’ll get you set straight.
-
This reply was modified 2 months, 3 weeks ago by
warrenrumak.
-
This reply was modified 2 months, 3 weeks ago by
-
-
Microsoft can not use any online access it may have to W7 devices to remove the script or try to close the hole because they no longer have legal access (I am speculating).
If true, Microsoft can not send updates to the same W7 PC as well.
2 users thanked author for this post.
-
I would not be surprised if there was a future update to seriously break Windows 7 for anyone who took advantage of this hack.
That being said, if they did not think of it yet, they certainly know now. I am sure they read the posts here.
Byte me!
-
This reply was modified 2 months, 3 weeks ago by
pHROZEN gHOST.
1 user thanked author for this post.
-
This reply was modified 2 months, 3 weeks ago by
-
I’m not relying on a crack to keep my one Windows 7 workstation patched after January. I turned off Windows Updates and installed 0Patch last month. It’s only been one month, but so far, so good. It’s so much less annoying than MS updates since it only injects critical patches when booting. It’s fast in doing so also. Since I make images of all our machines a couple times a week, this is not a serious risk. I intend to pay for the Pro patches, at $26 per year, when free MS support for W7 ends. I’m also looking at moving to Linux Mint on a workstation. Since it reads customer Windows drives, so I can back up their files and manually delete temp files and obvious malware, this is another consideration. Since Microsoft now focuses primarily on enterprise customers, I’ll do what I need to do to minimize my small business risk while being able to clean out customer’s Windows machines that have botched updates and malware issues. These Windows problems are, in my opinion, never going away with Microsoft continuously polishing the 35 year old turd instead of rebuilding the OS kernel on up. I’ve installed Linux Mint for some customers and, where appropriate, recommend consumers move to new Chromebooks with Android app and Linux support.
GreatAndPowerfulTech
-
@greatandpowerfultech
Hey, You could start your own thread on using 0patch..
for the benefit of the curious/interested 😉Win7 Pro x64 | Win8.1 Pro x64 | Linux Hybrids x86/x64 | Win7 Pro x86 | W10 never again-
Woody already has one at https://www.askwoody.com/forums/topic/worth-considering-0patch-for-win7-after-january-2020/
Woody’s post was one of the reasons I’m using 0patch now.
Go to 0patch.com. Download the “free agent”. You will need to set up an account. Disable Windows updates in Services and you’re good to go.
Windows 10 is terrible for manually checking drives pulled from other machines, to look for malware and delete hidden junk files. W10 runs much slower than Windows 7 when using it in this manner, on equivalent machines.
GreatAndPowerfulTech
1 user thanked author for this post.
-
-
0patch replaces Windows Updates, but it probably disables it for you.
Anybody tested this?cheers, Paul
1 user thanked author for this post.
-
I disabled Windows updates to see what 0patch actually did. It did what it was supposed to do. After January 20th, this will be a moot point anyway.
GreatAndPowerfulTech
1 user thanked author for this post.
-
-
-
-
anonymous
-
-
I frankly expected that some trick like this would have been discovered, but I also knew that it would have been announced way too early, thus making it absolutely useless -_-‘
1 user thanked author for this post.
-
anonymous -
Interesting. I knew someone would find a way to enable this.
Let’s see what happens after January.
My Digital Life – I gave up trying to read threads on that forum a long time ago. All I ever saw was “You need to login to view this posts content” every second or third post. And, no… I don’t want to register.
I suspect that’s the ‘default’ setting for posting there, i.e. the members needs to turn it off every post for non members to be able to see their messages. I assumed this because a lot of the posts (especially from ‘newbies’) are not really the sort of posts that the Admins/Mods there should think needed to be hidden from non members.
Oh, and in case anyone’s wondering how I’ve seen a lot of the ‘hidden’ posts – if someone quotes a ‘hidden’ post, non members can see the original post in the quote regardless of whether the quoted post was hidden or not.
Gigabyte GA-B250M-D3H Motherboard, Intel i5-7600 CPU, 32GB RAM, NVIDIA GeForce GTX 1050 Graphics Card, 1x Samsung 860 EVO 250GB SSD, 1x Samsung 850 EVO 250GB SSD, Windows 10 Professional 1909 64bit.
-
This reply was modified 2 months, 3 weeks ago by
Carl D.
1 user thanked author for this post.
-
anonymousThey’re doing things of questionable legality at best. They don’t want that information easily searchable by having it open to the public. Registering is no big deal–you can use a unique name and a throwaway email address so you can’t be tracked.
They’ve actually received DMCA take-downs before, and they have to comply at that point. They have to be careful.
Plus basically every forum I’ve seen requires you to register to download attachments, as part of keeping away bots.
1 user thanked author for this post.
-
This reply was modified 2 months, 3 weeks ago by
-
-
The answer to your question is implied in the name: “Rollup”.
All of the thousands of individual fixes made to Windows 7 since April 2016 (i.e. the so-called “Service Pack 2” convenience rollup) are rolled up into a single package.
But as each month goes by, more files across Windows 7 have needed fixes, so more files were included. Certain files (like the kernel and IE core DLLs, etc.) receive updates every month, but others might remain untouched for years until a problem is found.
It’s also worth noting that in many cases, all of the files for a particular component of Windows will get updated, even if the vulnerability exists in a single file within that component. This is because the “version number” embedded in each file gets updated at the same time.
I’ll give you an example. CVE-2019-0785 describes a DHCP vulnerability in Windows, which Microsoft patched in the July 2019 roll-up for Windows 7. There are a number of files in Windows related to DHCP (IPv4 implementation, IPv6 implementation, plug-in for Perfmon, the Windows Service host, language-specific translation files, MMC GUI, etc.etc.) All of those files got a version bump to 6.1.7601.24498 at the same time. And if the kernel, or some other component of Windows needed a fix at the same time, it would’ve gotten that same build number, too.
Each component of Windows is maintained by different groups of people, and that they have their own independent build processes. Every time a set of changes to a component is completed, the changes are pushed into the master Windows build branch, and the build number (e.g. “24498”) is increased by 1. Windows 7 RTM was build 16385, so yes, there have been 8,000 builds of Windows 7 in the last decade….
….
You can observe all this for yourself by downloading the CSV files they include with each monthly release’s patch notes. The recent CSV files list more than 11,000 files changed with a total file size of 2.8 GB. That’s not all of Windows 7, but it’s awfully close.
The updates are compressed, of course, and there is a “delta” mechanism that only includes the portions of files that have changed. (Each delta is applied one after the other, based on what patch level your system was at beforehand.)
But it’s still 11,000 files worth of changes over 4 years. That’s how you end up with a 300++ MB file.
-
This reply was modified 2 months, 3 weeks ago by
-
anonymous
-
This reply was modified 2 months, 3 weeks ago by
-
-
anonymous-
-
anonymousThat’s a good indicator that maybe MS should sell the extended security updates to the general consumer population and not only the Enterprise/Volume licensing customers or there will probably be a very robust black market for post Jan 2020 Windows 7 Security patches and MS losing out on even more potential revenues.
1 user thanked author for this post.
-
-
-
anonymousI’d like to throw in a distinction between unlicensed and illegal. Yes American football has illegal motion, but generally illegal suggests breaking a law, statute or criminal code; that is to say your activity is an action against society as governed by law.
The activity being discussed here certainly breaks the faith of the contracted license terms. But Microsoft is not equivalent to an authority with jurisdiction. They can withhold all service that was previously given, as a reaction to the broken terms, but cannot pass a criminal sentence. I would prefer to read this as “unlicensed”.
1 user thanked author for this post.
-
In most of the world, fraudulently dodging lawful service charges tends to be illegal.
And that’s not getting into actual copyright-based licensing at all.
Microsoft is clearly selling this as a service for those who already have previously acquired a license.
3 users thanked author for this post.
-
anonymous
-
-
-
anonymousCracks are what happens when MS refuses to offer consumers the chance to purchase Extended Windows 7 security updates like the Enterprise/Volume licensing customers have the option to purchase. So maybe MS should re-consider that as some folks will continue to run Windows 7 and get security patches any way they can.
I’m more in favor of just purchasing an available Windows 8.1 Retail OEM License key at a greatly reduced rate and run Windows 8.1 until 2023. I will be installing Linux on a few very old dual core i3 and core i5 laptops but the quad core Intel core i7 laptops can run 8.1 until 2023.
I do not see why MS does not want to make any more extended licensing sales but MS appears to be wanting to get out of the PC/Laptop OS business as their main focus as has been exemplified by MS’s move to a cloud/services focused business model.
1 user thanked author for this post.
-
Here is a thought:
W7 to W10 is still available and free.
The ‘digital license’ that W10 has can IIRC be used to activate a down grade to W7.
Could that digital license be used for an install of W8.1?Just something that popped into my head and I do not recall reading that this would be impossible…
🍻
Just because you don't know where you are going doesn't mean any road will get you there.1 user thanked author for this post.
-
anonymousThe cat and mouse games begins! Ms used a SSU to patch it and I read that the next bypass version is ready. Google or Duckduckgo it if you want details. I will not post links.
1 user thanked author for this post.
-
anonymousLost some respect for Ghacks today when they published the steps to do the “bypass”.
When you take something for sale without paying for it, it’s theft.
Ghacks promotion is disappointing.
2 users thanked author for this post.
-
When you take something for sale without paying for it, it’s theft.
Windows 7 home users can’t buy the ESU so there in no theft for them.
1 user thanked author for this post.
-
When you take something for sale without paying for it, it’s theft.
Windows 7 home users can’t buy the ESU so there in no theft for them.
So if you have something I want, but you don’t want to sell it to me, you’re ok with me just taking it from you without compensation?
When every man is his own moral compass the results are predictable.
-
-
-
-
No. Woody’s breaking his own rule here when he advertises a crack:
Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)
1 user thanked author for this post.
-
I think it’s a grey area. Not providing cracks for the software you’ve bought (Windows). Pointing out you can still get security updates for the software you’ve bought.
cheers, Paul
1 user thanked author for this post.
-
I don’t see it that way. The creators of the script in question aren’t dubious, and it certainly isn’t a keygen, nor is it advertised, merely noted as existing.
I’m sure a mod will have to, well, mod this thread, since this is as PaulT noted, a gray area.
1 user thanked author for this post.
-
It’s also about 99.999% likely, in my opinion, that MS will plug the hole before January.
That won’t keep people from trying, of course.
It is probably worth noting that, at the time this blogpost was written over two months ago, all of this was theoretical – the EOL was still weeks away…
🙂
1 user thanked author for this post.
-
-
-
anonymousNothing grey about it.
ESU licenses, and the updates that come with that license, are purchased…they are not free.
The “bypass” (hack) to “fake” an ESU license, to get the updates for free, is theft.
1 user thanked author for this post.
-
Just tried this on my test rig. No ESU license. All “needed” ESU updates successfully installed:
No reported issues or unusual outgoing/incoming traffic or suspicious processes. Looks the same as my regular rig which has gone the normal legit “Group B” route. Will leave running (do some harmless surfing & similar stuff on it) for a week before reverting to previous “clean + legit” ready-for-testing state. I find exercises / proof-of-concepts like this to be kinda fun & quite interesting.
Group B for WIN7 w/ ESU, plus trying out Linux builds in dual boot.
-
This reply was modified 1 week, 6 days ago by
Kranium.
1 user thanked author for this post.
-
This reply was modified 1 week, 6 days ago by
-
It seems to me that Microsoft are going to have to spend a lot of time (and devote quite a few staff who could probably be doing something else – like making sure Windows 10 updates are less problematic) over the next 3 years of Windows 7 extended support not just writing the security updates but also playing the ‘cat and mouse’ game with people who are obviously determined to get the extended security patches for free.
I’m sure someone from MS said a few years back that one of the reasons (if not the main reason) they wanted everyone on Windows 10 was so they could concentrate on the one operating system.
Since they are going to be spending just as much time supporting Windows 7 (probably even more now with the abovementioned ‘cat and mouse’ game) they should have just kept ‘extended’ Windows 7 support available for everyone for the next 3 years and even beyond.
Gigabyte GA-B250M-D3H Motherboard, Intel i5-7600 CPU, 32GB RAM, NVIDIA GeForce GTX 1050 Graphics Card, 1x Samsung 860 EVO 250GB SSD, 1x Samsung 850 EVO 250GB SSD, Windows 10 Professional 1909 64bit.
3 users thanked author for this post.
-
I find it interesting that Microsoft “officially” ended the “Get Windows 10” program on July 29, 2016. After that date Windows 10 would only be available on new computers, or available for PURCHASE (for a fee of $199 for the Windows 10 Professional).
Yet, how many people are still using the “free upgrade to Windows 10” method, after it ended 3.5 years ago, knowing it has not been officially available for free since July 29, 2016. These people see nothing wrong in using this method to get Windows 10 without having to pay the purchase price.
Yet many of these same people are probably taking the “high ground” claiming they would NEVER stoop to “steal” ESU updates after having upgraded to Windows 10 after July 2016 without paying for it
The fact that Microsoft has not shutdown the “free method to upgrade to Windows 10” for the last 3.5 years after it officially ended, means they do not care if people “steal” Windows 10, rather than pay for it.
The fact that Microsoft has not shutdown the “ESU crack” means they do not care if people “steal” the ESU updates, rather than pay for them.
This is not a question about contract law (I’m a retired Judge), but rather what Microsoft will allow to happen without endorsing/blocking the practice.
My personal opinion is that Microsoft allows the expired “free upgrade to Windows 10” program to continue because they want people to use Windows 10, instead of another OS such as Linux.
Following the same logic, I think Microsoft will allow this “hack” method of getting ESU updates in the hope that people will EVENTUALLY decide to upgrade to Windows 10, instead of another OS such as Linux.
Just my 2 cents….
PS: I’ve installed the “crack” but have not, as of yet, installed any of the ESU updates (waiting to see if it works for more than a month or 2).
4 users thanked author for this post.
-
this just came out recently on the Deskmodder.de site:
MODERATOR EDIT: English translation
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Recent Replies
Ascaris on Ublock origins, help please
2 hours, 11 minutes agowoody on MS-DEFCON 3: Get the February patches installed
2 hours, 12 minutes ago- 2 hours, 15 minutes ago
OscarCP on Cortana officially gets thrown under the bus
2 hours, 32 minutes agoTex265 on MS-DEFCON 3: Get the February patches installed
2 hours, 39 minutes agoDriftyDonN on MS-DEFCON 3: Get the February patches installed
2 hours, 44 minutes agogkarasik on Do you need to test cumulative updates?
3 hours, Just nowabbodi86 on MS-DEFCON 3: Get the February patches installed
3 hours, 17 minutes ago- 3 hours, 19 minutes ago
- 3 hours, 34 minutes ago
- 3 hours, 37 minutes ago
cmptrgy on WIN 7 administrator password
3 hours, 38 minutes ago- 3 hours, 40 minutes ago
John782 on MS Free Upgrade From W7 to W10 Is Still Working
4 hours, 8 minutes ago- 4 hours, 24 minutes ago
anonymous on WIN 7 administrator password
4 hours, 27 minutes ago- 4 hours, 31 minutes ago
- 4 hours, 33 minutes ago
Bundaburra on Cortana officially gets thrown under the bus
4 hours, 34 minutes agoKYKaren on Microsoft says the usual “C Week” previews/non-security patches are on their way
4 hours, 48 minutes agoCChamp on MS-DEFCON 3: Get the February patches installed
5 hours, 11 minutes agodph853 on MS-DEFCON 3: Get the February patches installed
5 hours, 16 minutes ago- 5 hours, 21 minutes ago
- 5 hours, 25 minutes ago
- 5 hours, 30 minutes ago
- 5 hours, 34 minutes ago
- 5 hours, 36 minutes ago
- 6 hours, 3 minutes ago
- 6 hours, 6 minutes ago
joep517 on MS-DEFCON 3: Get the February patches installed
6 hours, 11 minutes ago