Comprehensive software reviews to make better IT decisions
Windows 7 End-of-Life Troubles Continue: ESUs Don’t Apply to Enterprises That Purchased Licences
Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). End-of-life support for Windows 7 ended on January 14, 2020. The only exception is through purchasing an ESU. However, administrators who paid for the ESU found out their downloads are not applying. A manual patch download is required before the updates will properly apply. The only problem? Microsoft forgot to tell anyone that they need to manually download the patch.
If you do not run the mandatory patch, you will be unable to receive the ESU updates that were purchased. While the patch was released on February 11, 2020, there was no mention of the patch download as a prerequisite to receiving updates and support. The patch package will appear in the Windows Server Update Services – the patch management platform provided by Microsoft – but it will not be automatically updated through the service. Companies who purchased the ESUs but who remain unaware of the necessary patch will not receive any of the patches for February as a result. Customers could potentially never receive their ESUs if they remain unaware of the mandatory patch.
As Susan Bradley, a computer network and security consultant, puts it, “While I’m glad that Microsoft offered Windows ESUs to small business, I’m also concerned that I have now put small business at the mercy of what feels like a less-than-planned implementation. In order to get patched by Windows Update, one must stumble on a brand-new blog post out today and download a patch only on the catalog site. The idea behind paid-for-security patches is to make it easier to be patched while you are still running Windows 7, not make it harder to get updates.”
Windows 7 ESUs are crucial for the security of the enterprises that are still using them. Windows 7 is still one of the most used operating systems among businesses today, at 32.74% of the market share. There are valid security concerns to Microsoft’s approach. First, because Microsoft did not disclose the patch prerequisite, many of its clients have been left unsecured. Microsoft has significantly increased the likelihood that a client’s device is not up to date with the latest version. While this may seem minor, cyberattackers thrive on the complacency of businesses in their patch maintenance to install malware and backdoors onto their networks. Second, the ESUs are a service that business owners have already paid for. Failure to deliver on a promised product erodes trust between businesses and vendors. The ESUs are supposed to make the patching process easier and more secure. When Microsoft’s approach makes users less secure and becomes inconvenient to users, it is perhaps time to examine improvements to the update process.
Microsoft has since updated its procedural notes to include a mention of the mandatory patch, but there has still been little effort to highlight the patch. Without up-to-date support of Windows 7, businesses that use the system will be at risk for external probes. It is especially concerning given the ESUs have already been purchased by businesses for the entire year. Current Windows 7 users should seek to implement the patch if they have not done so already. Furthermore, Windows 7 users should also continue to weigh the fiscal and security consequences of not updating to a newer version of Windows. This includes examining alternative options. Check your systems to see if you require this mandatory patch to make the most of your Windows 7 ESU.
Want to Know More?
PHEMI is a data privacy solution focused on keeping data-processing activities secure by redacting information based on the role of the accessor. Thus, allowing such data to be used for multiple use cases without compromising privacy.
Kenna Security deployed their new data driven vulnerability management program, Kenna.VM and accessory program, Kenna.VI. Released on April 28th, Kenna.VM was created with the purpose to set service-level agreements (SLAs) with risk tolerance in mind.
“Connected reporting capabilities, control testing, real-time collaboration, cloud-based access, stringent security measure and permissions controls” are considered the leading factors behind CFGI offering Workiva to its clients.
We often hear that businesses are continually cyber insecure or under attack. However, recent penetration testing from Rapid7 shows that businesses are getting better at securing their networks against cyberattacks. While organizations continue to have exploitable weaknesses, attackers are having greater difficulty penetrating deeper into businesses’ networks.
Four zero-day vulnerabilities were discovered in IBM’s Data Risk Manager. While the vulnerabilities are concerning, more so is IBM’s response when addressed. The company simply stated, “It’s out of scope.” – meaning it had no intention to rectify or address the issue.
Will New IoT Security Frameworks Push Compliance Obligations to the Forefront of Security Discussions?
The Internet of Things is increasingly embedded with our daily lives. While these devices make life more accessible, for every new device, a new attack vector for cyberattackers is created.
Qualys VMDR Is Now Live: Increasing Security Threats Requires Strong Vulnerability Management Software
Qualys VMDR has hit the live market. Originally unveiled in February 2020 at Qualys Security Conference, VMDR is now publicly available as of April 16, 2020. Partnering with both large and small MSSPs, VMDR is designed to be scalable to any business enterprise and to automate the entire management cycle on all endpoints.
In March 2020, ZA Bank, Hong Kong’s first virtual bank, selected the OneSumX solution from Wolters Kluwer for regulatory reporting.
In a move to better respond to digital risk resulting from digital transformation and innovation priorities, RSA has updated the RSA Archer and NetWitness Platforms.