Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). End-of-life support for Windows 7 ended on January 14, 2020. The only exception is through purchasing an ESU. However, administrators who paid for the ESU found out their downloads are not applying. A manual patch download is required before the updates will properly apply. The only problem? Microsoft forgot to tell anyone that they need to manually download the patch.
If you do not run the mandatory patch, you will be unable to receive the ESU updates that were purchased. While the patch was released on February 11, 2020, there was no mention of the patch download as a prerequisite to receiving updates and support. The patch package will appear in the Windows Server Update Services – the patch management platform provided by Microsoft – but it will not be automatically updated through the service. Companies who purchased the ESUs but who remain unaware of the necessary patch will not receive any of the patches for February as a result. Customers could potentially never receive their ESUs if they remain unaware of the mandatory patch.
As Susan Bradley, a computer network and security consultant, puts it, “While I’m glad that Microsoft offered Windows ESUs to small business, I’m also concerned that I have now put small business at the mercy of what feels like a less-than-planned implementation. In order to get patched by Windows Update, one must stumble on a brand-new blog post out today and download a patch only on the catalog site. The idea behind paid-for-security patches is to make it easier to be patched while you are still running Windows 7, not make it harder to get updates.”
Windows 7 ESUs are crucial for the security of the enterprises that are still using them. Windows 7 is still one of the most used operating systems among businesses today, at 32.74% of the market share. There are valid security concerns to Microsoft’s approach. First, because Microsoft did not disclose the patch prerequisite, many of its clients have been left unsecured. Microsoft has significantly increased the likelihood that a client’s device is not up to date with the latest version. While this may seem minor, cyberattackers thrive on the complacency of businesses in their patch maintenance to install malware and backdoors onto their networks. Second, the ESUs are a service that business owners have already paid for. Failure to deliver on a promised product erodes trust between businesses and vendors. The ESUs are supposed to make the patching process easier and more secure. When Microsoft’s approach makes users less secure and becomes inconvenient to users, it is perhaps time to examine improvements to the update process.
Microsoft has since updated its procedural notes to include a mention of the mandatory patch, but there has still been little effort to highlight the patch. Without up-to-date support of Windows 7, businesses that use the system will be at risk for external probes. It is especially concerning given the ESUs have already been purchased by businesses for the entire year. Current Windows 7 users should seek to implement the patch if they have not done so already. Furthermore, Windows 7 users should also continue to weigh the fiscal and security consequences of not updating to a newer version of Windows. This includes examining alternative options. Check your systems to see if you require this mandatory patch to make the most of your Windows 7 ESU.
By exploiting a five-year-old configuration error, a hacker was able to access Amazon’s S3 cloud storage buckets on which Twilio’s code was loaded. As a result, customers were able to unknowingly download the modified code for twenty-four hours.
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
Microsoft recently previewed the specific features to tackle data security and risk management for end users with Microsoft Endpoint Data Loss Prevention (DLP) and Double Key Encryption. The reason for the launch? The increasing shift towards a remote work environment and a need to mitigate the accompanying risks.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
To bolster and broaden its data privacy capabilities for end users, cyber and data protection vendor Acronis has acquired DLP player DeviceLock. The acquisition aligns with the increasingly prevalent role that data privacy plays in cybersecurity.
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
Navigating the vendor risk management space, particularly in the current environment that consists of a mix of cloud, managed services, and critical supply chain, is key to ensuring that you don’t inadvertently introduce new risks through this dynamic channel.
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.