Comprehensive Software Reviews to make better IT decisions
Windows 7 End-of-Life Troubles Continue: ESUs Don’t Apply to Enterprises That Purchased Licences
Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). End-of-life support for Windows 7 ended on January 14, 2020. The only exception is through purchasing an ESU. However, administrators who paid for the ESU found out their downloads are not applying. A manual patch download is required before the updates will properly apply. The only problem? Microsoft forgot to tell anyone that they need to manually download the patch.
If you do not run the mandatory patch, you will be unable to receive the ESU updates that were purchased. While the patch was released on February 11, 2020, there was no mention of the patch download as a prerequisite to receiving updates and support. The patch package will appear in the Windows Server Update Services – the patch management platform provided by Microsoft – but it will not be automatically updated through the service. Companies who purchased the ESUs but who remain unaware of the necessary patch will not receive any of the patches for February as a result. Customers could potentially never receive their ESUs if they remain unaware of the mandatory patch.
As Susan Bradley, a computer network and security consultant, puts it, “While I’m glad that Microsoft offered Windows ESUs to small business, I’m also concerned that I have now put small business at the mercy of what feels like a less-than-planned implementation. In order to get patched by Windows Update, one must stumble on a brand-new blog post out today and download a patch only on the catalog site. The idea behind paid-for-security patches is to make it easier to be patched while you are still running Windows 7, not make it harder to get updates.”
Windows 7 ESUs are crucial for the security of the enterprises that are still using them. Windows 7 is still one of the most used operating systems among businesses today, at 32.74% of the market share. There are valid security concerns to Microsoft’s approach. First, because Microsoft did not disclose the patch prerequisite, many of its clients have been left unsecured. Microsoft has significantly increased the likelihood that a client’s device is not up to date with the latest version. While this may seem minor, cyberattackers thrive on the complacency of businesses in their patch maintenance to install malware and backdoors onto their networks. Second, the ESUs are a service that business owners have already paid for. Failure to deliver on a promised product erodes trust between businesses and vendors. The ESUs are supposed to make the patching process easier and more secure. When Microsoft’s approach makes users less secure and becomes inconvenient to users, it is perhaps time to examine improvements to the update process.
Microsoft has since updated its procedural notes to include a mention of the mandatory patch, but there has still been little effort to highlight the patch. Without up-to-date support of Windows 7, businesses that use the system will be at risk for external probes. It is especially concerning given the ESUs have already been purchased by businesses for the entire year. Current Windows 7 users should seek to implement the patch if they have not done so already. Furthermore, Windows 7 users should also continue to weigh the fiscal and security consequences of not updating to a newer version of Windows. This includes examining alternative options. Check your systems to see if you require this mandatory patch to make the most of your Windows 7 ESU.
Want to Know More?
SC Media had its recent 2020 SC Awards Honored in the U.S. event and has awarded Qualys recognition for Best Vulnerability Management Solution in the “Trust Awards” category.
RSA Archer, a leader in the governance, risk, and compliance space has been acquired by Symphony Technology Group, based in Palo Alto, California. Symphony, a private equity firm, has investments in a cross section of companies in the analytics space, HR and recruitment, and supply chain among many others.
Qualys announced its new flagship product, Qualys VMDR, at RSA Conference 2020. According to the Qualys website, VMDR will be available after March 30, 2020.
There is a vulnerability at the layer 2 Wi-Fi encryption level called Kr00k (formally CVE-2019-15126 in the NIST National Vulnerability Database) affecting Broadcom and Cypress Semiconductor Wi-Fi devices.
Qualys’ newest product, VMDR (Vulnerability Management, Detection, and Response), will be available in March and will provide an all-in-one cloud-based solution for vulnerability management. VMDR will automate the entire management cycle on all endpoints.
Startup security vendor SECURITI.ai wins RSAC “Most Innovative Startup” at the RSA Conference 2020 Innovation Sandbox Contest.
Dell has sold RSA Security to a private equity group for US$2.1 billion.
Microsoft has added its Windows 10 Tamper Protection controls to the public version of Microsoft Defender. Previously available only to enterprise users, Tamper Protection is intended to better detect threats that make it past other defences and to provide remediation suggestions.
A leaked UN report showed that servers were compromised during a cyberattack that exploited an older version of Microsoft SharePoint. This breach is a case study in the importance of both patch management and transparency.