Skip to main content
Tag

software update services

Windows 7 Post-Retirement: Patches for a Price

By News, Patch ManagementNo Comments

Windows 7 Post-Retirement: Patches for a Price

Microsoft has announced that it will offer Windows 7 patch support to any business, no matter how small, that is willing to pay.
[vc_empty_space]
[vc_single_image image=”34377″ img_size=”full”]

Microsoft is now allowing Windows 7 Extended Security Updates (ESUs) to be available to any business. The major move ensures that any business user who is unable to (or unwilling to) migrate to the newer Windows 10 can still receive security updates and support until January 2023.

Back in September 2018, Microsoft announced extended support for the aging operating system, except it was limited to only customers with volume licensing deals for Windows 7 Enterprise, as well as Windows 7 Professional. Recently, it was altered again to make it more widely available to any business simply willing to pay (commonly referred to as “patches-for-a-price”) since the deadline for support on Windows 7 is strictly coming to an end in January 2020.

“Through January 2023, we will extend the availability of paid Windows 7 Extended Security Updates (ESU) to business of all sizes,” stated Jared Spataro, Corporate Vice President for Microsoft 365. “The Windows 7 ESU will be sold on a per-device basis with the price increasing each year. Starting on December 1, 2019, businesses of any size can purchase ESU through the cloud solution provider (CSP) program. This means that customers can work with their partners to get the security they need while they make their way to Windows 10.”

How much will Windows 7 support cost?

The new pricing won’t be very cheap and will be strictly-limited to a per-device model. The pricing will also be different between Pro- and Enterprise-licenses and will indeed increase each year. Pricing of the ESUs will start from $25 per device for Windows Enterprise in year one, then up to $100 per device in year three. For Pro users, the ESU pricing starts at $50 per device in year one and up to $200 per device in year three.

In addition to exclusive and continued support for the dying operating system, Microsoft reminded all Office 365 users that Windows 7 is coming to an end and is strongly urging all to upgrade as soon as possible due to potential security risks if left unsupported. “Using Office 365 ProPlus on older, unsupported operating systems may cause performance and reliability issues over time,” stated Microsoft in late September. “Therefore, if your organization is using Office 365 ProPlus on devices running Windows 7, we strongly recommend your organization move these devices to Windows 10.”

Even though Windows 7 is now receiving extended support for security updates and fixes, Microsoft will not allow the device running Windows 7 to receive Office 365 ProPlus feature updates, limiting the license itself.

“This information applies even if you have purchased Extended Security Updates (ESU) for Windows 7…After you move Office 365 ProPlus to a supported Windows operating system, preferably Windows 10, you can configure Office 365 ProPlus to begin receiving feature updates again. Since updates for Office 365 ProPlus are cumulative, you will receive all the feature updates that you missed while the device was running Windows 7.”

It’s worth noting that although Windows 7 can still technically be used for Office 365, Microsoft didn’t release any additional details on that level of support, “We’ll be providing more information by January about how to get security updates for Office 365 ProPlus on devices running Windows 7 after support for Windows 7 ends.”

Final Thoughts

So there you have it. Windows 7 will gain extended support, if you want to pay the hefty price, but any Office 365 users (or any service for that matter) should be wary that certain aspects will not receive support after the January 2020 deadline.

The industry recommendation is to migrate all devices to Windows 10 to ensure all services won’t be affected as well as full support for quality and feature updates.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||”]

CVE and CVSS: Explained

By BlogNo Comments

CVE and CVSS: Explained

CVE and CVSS are some of the most commonly misunderstood aspects of patching today. Explore the differences and see how they can affect your patching strategy.
[vc_empty_space]
[vc_single_image image=”33897″ img_size=”full”]

Although many IT managers are familiar with these terms, CVE and CVSS are some of the most commonly misunderstood aspects of patching today. These two different terminologies are synonymous with operating system, software vulnerabilities, and patching.

What is CVE?

The CVE (Common Vulnerabilities and Exposures) number is a unique identifier used by vendors such as Microsoft, RedHat, and Adobe to catalog individual vulnerabilities where patches are provided as a resolution.  For example, every page of a book has a unique number. This solves the problem of finding the information on the page quickly.

Usually all CVE numbers look like this: CVE-nnnn-nnnn. You can see there is scope for millions of vulnerabilities.

“Our clients should feel confident that the CVE number is not owned by any specific software vendor,” said Robert Brown, Director of Services for Verismic Software. “Therefore, it is an unbiased and independent database for all vendors to publish their vulnerabilities.”

This also means that vendors must publish transparent content to these databases. At the very least, this provides some assurance to the accuracy of the data. Each company that wishes to publish its vulnerability announcements must become a CNA (CVE Numbering Authority) before its participation is considered reliable.

Vendors will include as much information as possible within each CVE record. For example:

  • CVE number
  • Description of vulnerability
  • Severity
  • References to other CVE records (also known as supersession)
  • Change History
  • Publish Date

What is a CVSS Score?

The CVSS (Common Vulnerability Scoring System) is an independently assigned score (out of 10) which is based on a large number of factors to determine the importance of a vulnerability. To compare CVSS scores, let’s look at how Microsoft scores their vulnerabilities.

Microsoft’s rating system is relatively simple:

  1. Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
  2. Important – Vulnerabilities where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
  3. Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
  4. Low – The impact is comprehensively mitigated by the characteristics of the mitigated component.
  5. NA – Not Available

However, Microsoft’s approach self-certifies vulnerabilities in its products.

Generating the CVSS score is highly complex, but it takes into consideration the following important questions:

  1. How easy is the vulnerability to be exploited? Do you need network or physical access and do you need elevated privileges?
  2. Can you exploit over the internet or do you need physical access?
  3. Is specific software or configuration of software needed? Does it impact everything?
  4. How much end-user interaction is needed?

Each of the above (and much more) are arranged in a sub score that is calculated together. The CVSS score is then calculated out of 10. Industry experts believe this offers the most accurate way to determine the priority of how quickly you must take action if any of these vulnerabilities exist within your environment.

Rating CVSS Score
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

 

Are CVSS scores necessary? Prove it!

Let’s take a couple updates from the August 2019 Patch Tuesday, and a few others to compare:

 

Vendor Patch Name Vendor Security CVSS Score
Google Chrome_v76.0.3809.100 NA High – 8.8
Microsoft KB4462137 Critical High – 7.8
Microsoft KB4474419 NA Critical – 9.8
Microsoft KB4508433 NA Critical – 9.8
The Document Foundation LibreOffice_v6.2.5 NA Critical – 9.8

 

As you can see from the sample above, vendor severity and CVSS scores are not always aligned. If you take Microsoft’s severity rating at face value, you can potentially waste two of the most precious assets you have—time and resources. Rolling out many patches across a massive distributed IT environment takes time.

The longer a known vulnerability is left unpatched, the greater the risk of having it exploited by an attacker. Evidence suggests that attacks against known vulnerabilities spike in the hours and days after the patches are released—this is why it’s important to know how urgent a vulnerability is. 

What’s the solution?

Take any vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as the Common Vulnerability Scoring System (CVSS). Each month US-CERT / NIST uses CVSS to rate most patch updates the same day they are released. This gives a better idea of the risk level for a particular vulnerability to your business.

Downtime for businesses can also be extremely costly. The best approach to patching is to have a dedicated window of downtime each month to update systems. If there is a compatibility issue with a patch and systems need to be rolled back, this extends the downtime and can impact the bottom line of a business.

However, this is a service we provide to clients. We analyze the binary code for each patch update and begin testing and piloting the updates before deploying them through Syxsense. This allows us to discover any problems with patch updates before they’re implemented.

Patching is all about improving your security posture. By taking a measured approach and using independently assessed scores, you can confidently prioritize which patches need to roll out.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||”]
||||

Prepare for Patch Tuesday!

By News, Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”25975″ img_size=”full”]

Do you have a patching strategy? It should include turning off Automatic Windows update.

Patch Tuesday is here. To avoid the usual splitting headache, we recommend disabling automatic updates for Windows and implementing a reliable patch strategy.

Windows 10 updates whether you want it to or not…unless you know the trick. While we recommend that you always keep your systems patched, sometimes the updates are worse than the vulnerability, like the July Patch Tuesday this year.

Win10

If you have a Professional, Enterprise, or Education edition of Windows 10, you can turn off automatic updates, but the option is hidden. You need to pull yourself out of beta testing and then delay new versions by setting the “feature update” deferral to 120 days or more. Here’s what to do in version 1703, if you have a later version of Windows 10 these settings still apply, but the wording is slightly different.

  • Press Win-R, type gpedit.msc, press Enter. This brings up the Local Group Policy Editor.
  • Navigate the left pane as if it were File Explorer to
  • Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Updates.
  • Choose Select when Feature Updates are received.
  • In the resulting dialog box, select Enabled.
  • In the Options box, type in how many days you’d like to pause updates and then in the next field type in today’s date.
  • Click Apply and then OK.

If you want to you can repeat this process for the second setting in Group Policy named Select when Quality Updates are received. Keep in mind, however, that quality updates include security updates and skipping them is not the best idea. On the upside, security updates are cumulative meaning if you do skip these updates, you can download the next one and be up to date.

Win7 and 8

  • Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
  • Click Start > Control Panel > System and Security > Turn automatic updating on or off.
  • In the Important updates menu, select Never check for updates.
  • Deselect Give me recommended updates the same way I receive important updates.
  • Deselect Allow all users to install updates on this computer and click OK.
[vc_single_image image=”25987″ img_size=”medium” alignment=”center” onclick=”custom_link” link=”https://go.pardot.com/l/62402/2016-08-30/2y9m9t”]

Patch Strategy

Your IT update solution should facilitate phased rollouts and have full rollback options. These are the necessary keys to avoiding data loss or device outages.

Step 1. Identify

You can’t manage your environment if you don’t know what devices are there and which need updates. An IT solution should also be able to manage roaming devices.

Plus, if data is stale, it could mean missing a device or update that was critical to secure. Detect the state of your environment with live, accurate, and actionable data.

Step 2. Test Group Deployment

Deploy the updates to a small group of devices. These devices should be of low impact to the overall productivity of your company. Once these devices have been successfully and safely updated, you can deploy needed updates without worrying about a massive disaster.

Step 3. Phased Rollout

Now updates should be distributed to any device that needs them. However, you want this task to preform around business hours. Updates are important, but so is avoiding interruptions of productivity. A maintenance window should be set up so that any update tasks happen before and after business hours.

And to facilitate a proper patching strategy, look to a comprehensive IT solution.

Syxsense

This is the solution for all of your patching needs. Syxsense can deploy updates to Windows, Mac, and Linux devices. It is a complete patching solution that can manage devices both in your network, but also roaming and out of the office.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]

Software Update Service

We understand that while updating software is the #1 way to protect your environment, it’s low on your priority list. As an IT department, you have other pressing tasks that you need your attention.

With our Software Update Service, you can move forward while we keep your devices up to date.

Our expert patch management team provides reliable support with detection and remediation for Windows and third-party software updates. We work closely with you to provide safe and efficient endpoint security with your own systems management tool or ours, Syxsense.

Our team will keep your IT systems reliable with endpoints updated and secure.