Skip to main content


Windows 7 Post-Retirement: Patches for a Price

By News, Patch ManagementNo Comments

Windows 7 Post-Retirement: Patches for a Price

Microsoft has announced that it will offer Windows 7 patch support to any business, no matter how small, that is willing to pay.

Microsoft is now allowing Windows 7 Extended Security Updates (ESUs) to be available to any business. The major move ensures that any business user who is unable to (or unwilling to) migrate to the newer Windows 10 can still receive security updates and support until January 2023.

Back in September 2018, Microsoft announced extended support for the aging operating system, except it was limited to only customers with volume licensing deals for Windows 7 Enterprise, as well as Windows 7 Professional. Recently, it was altered again to make it more widely available to any business simply willing to pay (commonly referred to as “patches-for-a-price”) since the deadline for support on Windows 7 is strictly coming to an end in January 2020.

“Through January 2023, we will extend the availability of paid Windows 7 Extended Security Updates (ESU) to business of all sizes,” stated Jared Spataro, Corporate Vice President for Microsoft 365. “The Windows 7 ESU will be sold on a per-device basis with the price increasing each year. Starting on December 1, 2019, businesses of any size can purchase ESU through the cloud solution provider (CSP) program. This means that customers can work with their partners to get the security they need while they make their way to Windows 10.”

How much will Windows 7 support cost?

The new pricing won’t be very cheap and will be strictly-limited to a per-device model. The pricing will also be different between Pro- and Enterprise-licenses and will indeed increase each year. Pricing of the ESUs will start from $25 per device for Windows Enterprise in year one, then up to $100 per device in year three. For Pro users, the ESU pricing starts at $50 per device in year one and up to $200 per device in year three.

In addition to exclusive and continued support for the dying operating system, Microsoft reminded all Office 365 users that Windows 7 is coming to an end and is strongly urging all to upgrade as soon as possible due to potential security risks if left unsupported. “Using Office 365 ProPlus on older, unsupported operating systems may cause performance and reliability issues over time,” stated Microsoft in late September. “Therefore, if your organization is using Office 365 ProPlus on devices running Windows 7, we strongly recommend your organization move these devices to Windows 10.”

Even though Windows 7 is now receiving extended support for security updates and fixes, Microsoft will not allow the device running Windows 7 to receive Office 365 ProPlus feature updates, limiting the license itself.

“This information applies even if you have purchased Extended Security Updates (ESU) for Windows 7…After you move Office 365 ProPlus to a supported Windows operating system, preferably Windows 10, you can configure Office 365 ProPlus to begin receiving feature updates again. Since updates for Office 365 ProPlus are cumulative, you will receive all the feature updates that you missed while the device was running Windows 7.”

It’s worth noting that although Windows 7 can still technically be used for Office 365, Microsoft didn’t release any additional details on that level of support, “We’ll be providing more information by January about how to get security updates for Office 365 ProPlus on devices running Windows 7 after support for Windows 7 ends.”

Final Thoughts

So there you have it. Windows 7 will gain extended support, if you want to pay the hefty price, but any Office 365 users (or any service for that matter) should be wary that certain aspects will not receive support after the January 2020 deadline.

The industry recommendation is to migrate all devices to Windows 10 to ensure all services won’t be affected as well as full support for quality and feature updates.

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

CVE and CVSS: Explained

By BlogOne Comment

CVE and CVSS: Explained

CVE and CVSS are some of the most commonly misunderstood aspects of patching today. Explore the differences and see how they can affect your patching strategy.

Although many IT managers are familiar with these terms, CVE and CVSS are some of the most commonly misunderstood aspects of patching today. These two different terminologies are synonymous with operating system, software vulnerabilities, and patching.

What is CVE?

The CVE (Common Vulnerabilities and Exposures) number is a unique identifier used by vendors such as Microsoft, RedHat, and Adobe to catalog individual vulnerabilities where patches are provided as a resolution.  For example, every page of a book has a unique number. This solves the problem of finding the information on the page quickly.

Usually all CVE numbers look like this: CVE-nnnn-nnnn. You can see there is scope for millions of vulnerabilities.

“Our clients should feel confident that the CVE number is not owned by any specific software vendor,” said Robert Brown, Director of Services for Verismic Software. “Therefore, it is an unbiased and independent database for all vendors to publish their vulnerabilities.”

This also means that vendors must publish transparent content to these databases. At the very least, this provides some assurance to the accuracy of the data. Each company that wishes to publish its vulnerability announcements must become a CNA (CVE Numbering Authority) before its participation is considered reliable.

Vendors will include as much information as possible within each CVE record. For example:

  • CVE number
  • Description of vulnerability
  • Severity
  • References to other CVE records (also known as supersession)
  • Change History
  • Publish Date

What is a CVSS Score?

The CVSS (Common Vulnerability Scoring System) is an independently assigned score (out of 10) which is based on a large number of factors to determine the importance of a vulnerability. To compare CVSS scores, let’s look at how Microsoft scores their vulnerabilities.

Microsoft’s rating system is relatively simple:

  1. Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
  2. Important – Vulnerabilities where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
  3. Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
  4. Low – The impact is comprehensively mitigated by the characteristics of the mitigated component.
  5. NA – Not Available

However, Microsoft’s approach self-certifies vulnerabilities in its products.

Generating the CVSS score is highly complex, but it takes into consideration the following important questions:

  1. How easy is the vulnerability to be exploited? Do you need network or physical access and do you need elevated privileges?
  2. Can you exploit over the internet or do you need physical access?
  3. Is specific software or configuration of software needed? Does it impact everything?
  4. How much end-user interaction is needed?

Each of the above (and much more) are arranged in a sub score that is calculated together. The CVSS score is then calculated out of 10. Industry experts believe this offers the most accurate way to determine the priority of how quickly you must take action if any of these vulnerabilities exist within your environment.

Rating CVSS Score
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0


Are CVSS scores necessary? Prove it!

Let’s take a couple updates from the August 2019 Patch Tuesday, and a few others to compare:


Vendor Patch Name Vendor Security CVSS Score
Google Chrome_v76.0.3809.100 NA High – 8.8
Microsoft KB4462137 Critical High – 7.8
Microsoft KB4474419 NA Critical – 9.8
Microsoft KB4508433 NA Critical – 9.8
The Document Foundation LibreOffice_v6.2.5 NA Critical – 9.8


As you can see from the sample above, vendor severity and CVSS scores are not always aligned. If you take Microsoft’s severity rating at face value, you can potentially waste two of the most precious assets you have—time and resources. Rolling out many patches across a massive distributed IT environment takes time.

The longer a known vulnerability is left unpatched, the greater the risk of having it exploited by an attacker. Evidence suggests that attacks against known vulnerabilities spike in the hours and days after the patches are released—this is why it’s important to know how urgent a vulnerability is. 

What’s the solution?

Take any vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as the Common Vulnerability Scoring System (CVSS). Each month US-CERT / NIST uses CVSS to rate most patch updates the same day they are released. This gives a better idea of the risk level for a particular vulnerability to your business.

Downtime for businesses can also be extremely costly. The best approach to patching is to have a dedicated window of downtime each month to update systems. If there is a compatibility issue with a patch and systems need to be rolled back, this extends the downtime and can impact the bottom line of a business.

However, this is a service we provide to clients. We analyze the binary code for each patch update and begin testing and piloting the updates before deploying them through Syxsense. This allows us to discover any problems with patch updates before they’re implemented.

Patching is all about improving your security posture. By taking a measured approach and using independently assessed scores, you can confidently prioritize which patches need to roll out.

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo