Wednesday, October 12, 2022

Two More Years of Critical Security Patches for Windows 7 and Windows Server 2008 R2

Extended Security Updates about to be terminated? Don't worry, we have your back.

by Mitja Kolsek, the 0patch Team



Update 8/9/2023:0patch also security-adopts Windows Server 2012 and 2012 R2 as these server versions reach end of support. Read more about it.


Is your organization still using Windows 7 or Windows Server 2008 R2? We understand: these are good stable Windows versions that just work, do not force you to perform unneeded upgrades that change your user interface, don't distract users with ads and news they never wanted to see, don't send tons of telemetry data to Microsoft and most of all, reliably support your work processes.

Perhaps you've kept using these Windows versions without any security updates when free updates were terminated in January 2020 (narrator: "That's a bit risky."). Or you may have purchased Extended Security Updates (ESU) to keep receiving official security fixes from Microsoft (narrator: "That's a bit expensive."). Or, you may have been using 0patch to keep running Windows 7 and Server 2008 R2 securely by receiving our security micropatches for the most-likely-to-be-exploited critical vulnerabilities.

If you chose the Extended Security Updates path, you have a big decision ahead of you, as these updates are about to be terminated soon: Windows 7 and Windows Server 2008 R2 (on-prem) will receive their last ESU update in January 2023.

After that, no new security patches for these two Windows versions will exist.

... is what could be said if it weren't for 0patch.

We have decided to keep providing security patches for Windows 7 and Windows Server 2008 R2 for critical vulnerabilities that are likely to get exploited, and will be happy to keep you secured for a fraction of what you had paid for ESU so far. And you won't have to restart your computer even once, because our patches are applied directly in the memory of running processes instead of changing your executable files!

If you're using ESU and want to continue with 0patch, just keep applying all remaining ESU updates, including the last one in January 2023. Then install 0patch Agent on all your Windows 7 and Server 2008 R2 computers, and register it to your 0patch account holding a suitable amount of licenses. 

That's it. No really, that's it.

I mean, that's it if you want to "set and forget" 0patch, which many of our users actually do. Otherwise you can use 0patch Central to decide which of our micropatches shall be applied on which computers by organizing computers in groups and setting group-specific patching policies. (Enterprise licenses are needed for that.)

Of course it would be a good idea to test 0patch in your environment first instead of waiting until January. We'll be happy to set you up with a trial so you can see how 0patch works and how it co-exists with other components in your environment. Just email and you'll be quickly on your way.

Frequently Asked Questions

Q: How long do you plan to provide critical security patches for Windows Server 2008 R2 and Windows 7 after January 2023?

A: For at least two more years - until January 2025. Depending on the demand, we'll consider a further extension.

Q: How many vulnerabilities have you patched for Windows Server 2008 R2 and Windows 7 since January 2020?

A: Since January 2020 when we "security-adopted" Windows 7 and Windows Server 2008 R2, we have issued patches for 52 critical security issues on these systems that were at high risk of being exploited. Many of them were later actually confirmed to be exploited in the wild and even more of them became part of various exploit kits that even a low-budget attacker could easily use against unpatched systems.

Q: We haven't been using Extended Security Updates and have had no security patches since January 2020. Can we still use 0patch to get up to speed with critical security patches?

A: Of course. Just make sure you have January 2020 updates installed on your Windows 7 and Server 2008 R2 computers and start using 0patch; it will apply all micropatches that other users without Extended Security Updates have been receiving since 2020.

Q: We have been using Extended Security Updates but only for one or two years. Can we still use 0patch to get up to speed with critical security patches?

A: Absolutely. All micropatches for Windows 7 and Server 2008 R2 we have ever issued were ported written for fully updated computers (1) without ESU, (2) with only the first year of ESU, and (3) with only the second year of ESU. We'll keep doing this, and will - starting with February 2023 - also port new patches to fully updated computers (4) with the the third year of ESU, so anyone can join in and get all our patches.

Q: Are your micropatches actual code patches or "virtual patches"?

A: Our patches are actual code patches; we add a couple of CPU instructions to the original (vulnerable) executable code to remove the vulnerability. Such patches cannot be bypassed, which literally any other exploit protection mechanisms - including virtual patches - can be.

Q: What is the main difference between 0patch patches and original vendor patches?

A: These are the main differences:

  1. Our patches are applied in memory only and don't modify executable files.
  2. Due to the above, applying or un-applying our patches does not require you to even relaunch patched applications, much less restart the entire computer.
  3. Our patches are really tiny, usually just a couple of CPU instructions; by modifying only the tiniest possible fraction of original code we also minimize the possibility of introducing new flaws in the code.
  4. We don't provide patches for all security issues, only for those that are sufficiently severe and likely to be exploited.

Q: How can I keep using Windows 7 or Server 2008 R2 when all major browsers will stop receiving security fixes in January 2023?

A: We will security-adopt Microsoft Edge in January 2023, so you'll be able to keep using Edge securely even though it won't get updated by Microsoft anymore. 

Q: Are you also going to security-adopt Windows Server 2012 when it reaches end of support next year?

A: Yes we are.

Q: We'd like to see a demo.

A: Send an email to and provide your company name and time zone so we can suggest a couple of dates for the demo. 

Q: We'd like to set up a trial.

A: Create a free account in 0patch Central, then let us know at which email you used for that so we can issue a couple of trial licenses to your account.

Q: We have more questions about 0patch

A: Our Help Center has a lot of answers but if you can't find yours there, feel free to contact us at