Skip to main content
Tag

cvss

Windows 7 Post-Retirement: Patches for a Price

By News, Patch ManagementNo Comments

Windows 7 Post-Retirement: Patches for a Price

Microsoft has announced that it will offer Windows 7 patch support to any business, no matter how small, that is willing to pay.
[vc_empty_space]
[vc_single_image image=”34377″ img_size=”full”]

Microsoft is now allowing Windows 7 Extended Security Updates (ESUs) to be available to any business. The major move ensures that any business user who is unable to (or unwilling to) migrate to the newer Windows 10 can still receive security updates and support until January 2023.

Back in September 2018, Microsoft announced extended support for the aging operating system, except it was limited to only customers with volume licensing deals for Windows 7 Enterprise, as well as Windows 7 Professional. Recently, it was altered again to make it more widely available to any business simply willing to pay (commonly referred to as “patches-for-a-price”) since the deadline for support on Windows 7 is strictly coming to an end in January 2020.

“Through January 2023, we will extend the availability of paid Windows 7 Extended Security Updates (ESU) to business of all sizes,” stated Jared Spataro, Corporate Vice President for Microsoft 365. “The Windows 7 ESU will be sold on a per-device basis with the price increasing each year. Starting on December 1, 2019, businesses of any size can purchase ESU through the cloud solution provider (CSP) program. This means that customers can work with their partners to get the security they need while they make their way to Windows 10.”

How much will Windows 7 support cost?

The new pricing won’t be very cheap and will be strictly-limited to a per-device model. The pricing will also be different between Pro- and Enterprise-licenses and will indeed increase each year. Pricing of the ESUs will start from $25 per device for Windows Enterprise in year one, then up to $100 per device in year three. For Pro users, the ESU pricing starts at $50 per device in year one and up to $200 per device in year three.

In addition to exclusive and continued support for the dying operating system, Microsoft reminded all Office 365 users that Windows 7 is coming to an end and is strongly urging all to upgrade as soon as possible due to potential security risks if left unsupported. “Using Office 365 ProPlus on older, unsupported operating systems may cause performance and reliability issues over time,” stated Microsoft in late September. “Therefore, if your organization is using Office 365 ProPlus on devices running Windows 7, we strongly recommend your organization move these devices to Windows 10.”

Even though Windows 7 is now receiving extended support for security updates and fixes, Microsoft will not allow the device running Windows 7 to receive Office 365 ProPlus feature updates, limiting the license itself.

“This information applies even if you have purchased Extended Security Updates (ESU) for Windows 7…After you move Office 365 ProPlus to a supported Windows operating system, preferably Windows 10, you can configure Office 365 ProPlus to begin receiving feature updates again. Since updates for Office 365 ProPlus are cumulative, you will receive all the feature updates that you missed while the device was running Windows 7.”

It’s worth noting that although Windows 7 can still technically be used for Office 365, Microsoft didn’t release any additional details on that level of support, “We’ll be providing more information by January about how to get security updates for Office 365 ProPlus on devices running Windows 7 after support for Windows 7 ends.”

Final Thoughts

So there you have it. Windows 7 will gain extended support, if you want to pay the hefty price, but any Office 365 users (or any service for that matter) should be wary that certain aspects will not receive support after the January 2020 deadline.

The industry recommendation is to migrate all devices to Windows 10 to ensure all services won’t be affected as well as full support for quality and feature updates.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||”]

CVE and CVSS: Explained

By BlogNo Comments

CVE and CVSS: Explained

CVE and CVSS are some of the most commonly misunderstood aspects of patching today. Explore the differences and see how they can affect your patching strategy.
[vc_empty_space]
[vc_single_image image=”33897″ img_size=”full”]

Although many IT managers are familiar with these terms, CVE and CVSS are some of the most commonly misunderstood aspects of patching today. These two different terminologies are synonymous with operating system, software vulnerabilities, and patching.

What is CVE?

The CVE (Common Vulnerabilities and Exposures) number is a unique identifier used by vendors such as Microsoft, RedHat, and Adobe to catalog individual vulnerabilities where patches are provided as a resolution.  For example, every page of a book has a unique number. This solves the problem of finding the information on the page quickly.

Usually all CVE numbers look like this: CVE-nnnn-nnnn. You can see there is scope for millions of vulnerabilities.

“Our clients should feel confident that the CVE number is not owned by any specific software vendor,” said Robert Brown, Director of Services for Verismic Software. “Therefore, it is an unbiased and independent database for all vendors to publish their vulnerabilities.”

This also means that vendors must publish transparent content to these databases. At the very least, this provides some assurance to the accuracy of the data. Each company that wishes to publish its vulnerability announcements must become a CNA (CVE Numbering Authority) before its participation is considered reliable.

Vendors will include as much information as possible within each CVE record. For example:

  • CVE number
  • Description of vulnerability
  • Severity
  • References to other CVE records (also known as supersession)
  • Change History
  • Publish Date

What is a CVSS Score?

The CVSS (Common Vulnerability Scoring System) is an independently assigned score (out of 10) which is based on a large number of factors to determine the importance of a vulnerability. To compare CVSS scores, let’s look at how Microsoft scores their vulnerabilities.

Microsoft’s rating system is relatively simple:

  1. Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
  2. Important – Vulnerabilities where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
  3. Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
  4. Low – The impact is comprehensively mitigated by the characteristics of the mitigated component.
  5. NA – Not Available

However, Microsoft’s approach self-certifies vulnerabilities in its products.

Generating the CVSS score is highly complex, but it takes into consideration the following important questions:

  1. How easy is the vulnerability to be exploited? Do you need network or physical access and do you need elevated privileges?
  2. Can you exploit over the internet or do you need physical access?
  3. Is specific software or configuration of software needed? Does it impact everything?
  4. How much end-user interaction is needed?

Each of the above (and much more) are arranged in a sub score that is calculated together. The CVSS score is then calculated out of 10. Industry experts believe this offers the most accurate way to determine the priority of how quickly you must take action if any of these vulnerabilities exist within your environment.

Rating CVSS Score
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

 

Are CVSS scores necessary? Prove it!

Let’s take a couple updates from the August 2019 Patch Tuesday, and a few others to compare:

 

Vendor Patch Name Vendor Security CVSS Score
Google Chrome_v76.0.3809.100 NA High – 8.8
Microsoft KB4462137 Critical High – 7.8
Microsoft KB4474419 NA Critical – 9.8
Microsoft KB4508433 NA Critical – 9.8
The Document Foundation LibreOffice_v6.2.5 NA Critical – 9.8

 

As you can see from the sample above, vendor severity and CVSS scores are not always aligned. If you take Microsoft’s severity rating at face value, you can potentially waste two of the most precious assets you have—time and resources. Rolling out many patches across a massive distributed IT environment takes time.

The longer a known vulnerability is left unpatched, the greater the risk of having it exploited by an attacker. Evidence suggests that attacks against known vulnerabilities spike in the hours and days after the patches are released—this is why it’s important to know how urgent a vulnerability is. 

What’s the solution?

Take any vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as the Common Vulnerability Scoring System (CVSS). Each month US-CERT / NIST uses CVSS to rate most patch updates the same day they are released. This gives a better idea of the risk level for a particular vulnerability to your business.

Downtime for businesses can also be extremely costly. The best approach to patching is to have a dedicated window of downtime each month to update systems. If there is a compatibility issue with a patch and systems need to be rolled back, this extends the downtime and can impact the bottom line of a business.

However, this is a service we provide to clients. We analyze the binary code for each patch update and begin testing and piloting the updates before deploying them through Syxsense. This allows us to discover any problems with patch updates before they’re implemented.

Patching is all about improving your security posture. By taking a measured approach and using independently assessed scores, you can confidently prioritize which patches need to roll out.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||”]
Patch Tuesday

HTTP.sys vulnerability fixed in April’s Patch Tuesday

By News, Patch Management, Patch TuesdayNo Comments

In this month’s patch updates from Microsoft there’s a total of 11 bulletins – four Critical and seven Important – covering 26 separate vulnerabilities. “We’re going to look at each of the four Critical updates in turn”, says Robert Brown, Director of Services at Verismic.

Data Encryption The first of the Critical updates from Microsoft, MS15-032, covers 10 separate vulnerabilities in Internet Explorer – nine of which are the most severe and can allow for remote code execution. However, there are two other Critical updates that you should be paying attention to – MS15-033 and MS15-034.

MS15-033 addresses five separate vulnerabilities in Microsoft Office, all of which could allow remote code execution. If that doesn’t encourage you to apply this patch, perhaps you should consider that one of the vulnerabilities within the update is currently being exploited in the wild. This is the only vulnerability in this month’s update that is known to be actively exploited.

The third Critical vulnerability has a CVSS of 10.0 from US-CERT, which is the highest rating possible. This patch should be your first priority above all others. Although the likelihood of this vulnerability being exploited is low it is a credible threat to your business and the potential damage it could cause is massive. The vulnerability can be exploited if an attacker sends a specially crafted HTTP request to an affected Windows system. Unlike the other Critical patches this month, MS15-034 requires no user interaction whatsoever, which makes it so dangerous.

The final Critical bulletin for April, like the first two this month, has a CVSS of 9.3. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.

The remaining Important bulletins address vulnerabilities that could allow elevation of privilege, bypassing security features, information disclosures, and denial of service vulnerabilities.

Once you’ve prioritised your patches, I would always advise that you stage your roll out by testing and piloting the updates before deploying widely. This will help identify any compatibility issues. This should be done as standard each month, which is something we’ll always do for customers and MSPs through Syxsense.

Update no.

CVSS Score Microsoft rating Affected software Details

MS15-034

10.0 Critical Microsoft Windows Vulnerability in HTTP.sys could allow remote code execution
MS15-032 9.3 Critical Microsoft Windows, Internet Explorer

Cumulative security update for Internet Explorer

MS15-033

9.3 Critical Microsoft Office Vulnerabilities in Microsoft Office could allow remote code execution
MS15-035 9.3 Critical Microsoft Windows Vulnerability in Microsoft Graphics Component could allow remote code execution
MS15-038 7.2 Important Microsoft Windows Vulnerabilities in Microsoft Windows could allow elevation of privilege
MS15-037 6.9 Important Microsoft Windows Vulnerability in Windows Task Scheduler could allow elevation of privilege
MS15-036 4.3 Important Microsoft Server Software, Productivity Software Vulnerability in Microsoft SharePoint Server could allow elevation of privilege
MS15-039 4.3 Important Microsoft Windows Vulnerability in XML Core Services could allow security bypass feature
MS15-042 2.7 Important Microsoft Windows Vulnerability in Hyper-V could allow denial of service
MS15-041 2.6 Important Microsoft Windows, Microsoft .NET Framework Vulnerability in .NET Framework could allow information disclosure
MS15-040 1.9 Important Microsoft Windows

Vulnerability in Active Directory Federation Services could allow information disclosure

||MSPs patch management article|

Microsoft Patch Tuesday: Are Those Critical Patches Really Critical?

By Patch Management, Patch TuesdayNo Comments

MSPs have the opportunity to position themselves as the authority on patch management for their customers, both in terms of making the best use of time available and patch prioritization.

Downtime. One word to strike fear into the hearts of even the hardiest of IT managers. Avoiding downtime at pretty much all costs is the name of the game now. However, with the reliance on Microsoft (MSFT) products, there is inevitably going to have to be some downtime to roll out patch updates to keep systems secure.

The problem: The more updates there are, the longer the downtime isMSPs patch management article needed to update and install patches. For customers this can be a challenge, but for IT service providers and Managed Service Providers, this can be a real headache. Invariably, your customers have a very limited window when systems can be taken offline to install patches. This is all well and good when there’s a only a few patches, such as in January’s update, but when there are a large number (generally eight or more), this can be a real challenge…Read more of Ashley Leonard’s article published on The VAR Guy

|Patch Tuesday

Patch Tuesday: February 2015

By News, Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”3020″ img_size=”full” alignment=”center”]

This month’s Patch Tuesday is a bit of an interesting one…

MS15-011 affects all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 RT, and Windows RT 8.1. Essentially, any domain-joined Windows Clients and Servers may be at risk.

The flaw, dubbed JASBUG, was discovered by JAS Global Advisors back in January 2014. The company however, adhered to good disclosure practices and the vulnerability wasn’t made public until Microsoft had prepared a fix. The fact that it has taken Microsoft over a year to develop a fix should indicate just how wide ranging and complex the vulnerability is.

According to JAS Global Advisors: “The fix required Microsoft to re-engineer core components of the operating system and to add several new features.”

Outlined below are the critical updates you need to be focusing on. As usual, we have cross-checked Microsoft’s own rating with US-CERT’s independent assessment of the patches so you are in the best position to choose the most important updates for your business.

MS15-011

This security update, which I mentioned above, is a remote code execution vulnerability existing in how group policy receives and applies connection data when a domain-joined system connects to a domain controller. An attacker who successfully exploits this vulnerability could take complete control of an affected system, letting them install programs; change, view, or delete data; or even create new accounts with full user rights.

MS15-010

The most severe of the six privately reported vulnerabilities could, again, allow remote code execution if an attacker is able to convince a user to open a specially crafted document, or to visit an untrusted website that contains embedded TrueType fonts.

MS15-009

This security update resolves one publicly disclosed and 40 privately reported vulnerabilities in Internet Explorer, with the most severe of these allowing remote code execution. If a user views a specially crafted web page it could allow an attacker to gain the same user rights as the current user.

Microsoft rates the remaining six patches in February’s update as Important. A full breakdown of these ratings compared to the US-CERT ratings can be found in the table below. I’d always advise to use US-CERT’s rating in conjunction with Microsoft’s, which will give you a much clearer picture of which patches you should be prioritising.

Update no.
CVSS score
Microsoft rating
Affected Software
Details
MS15-012 9.3 Important Microsoft
Office
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
MS15-011 8.3 Critical Microsoft Windows Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
MS15-010 7.2 Critical Microsoft Windows Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
MS15-009 6.8 Critical Microsoft Windows, Internet
Explorer
Security update for Internet Explorer (3034682)
MS15-017 6.8 Important Microsoft Server Software Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
MS15-015 6.0 Important Microsoft Windows Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
MS15-013 4.3 Important Microsoft
Office
Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
MS15-016 4.3 Important Microsoft Windows Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
MS15-014 3.3 Important Microsoft Windows Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)