April Patch Tuesday Forecast: Be aware of end-of-service issues and browser exploits
April Patch Tuesday is nearly here with two significant topics of concern. The first relates to end-of-service milestones and the second issue is browser exploits.
Let’s start with end-of-service. This is a fitting topic this month given we have two Windows 10 versions that are hitting end of service milestones in April, but I do want to expand the conversation beyond Windows 10 to discuss Windows 7, Server 2008 and 2008 R2, Flash Player, Java 8 and end of life software in general. Yes, that is a lot of software coming up on, or already past, end of service.
As you can see by the chart below (taken from Microsoft’s Windows 10 lifecycle fact sheet) we have two versions of Windows 10 hitting an end-of-service milestone next week.
A couple of key questions have come up recently that I want to address here.
Does the end-of-service date mean these versions are receiving one last update in April?
Yes, Microsoft has designated the end-of-service date for Windows 10 to coincide with Patch Tuesday. So that date is the final security update that will be released for that version.
Microsoft states that end-of-service means that version is no longer supported by monthly quality updates. Will there still be security updates past that end-of-service date?
The monthly quality update is the security update that releases on Patch Tuesday for Windows 10. The monthly quality preview is the update that comes out later in the month and includes feature changes and non-security updates. End-of-service is an end to both. No further updates should be expected for versions that have reached end-of-service. Microsoft is not required to release critical security updates past this point and while we have seen an update for end-of-serviced versions in the past, we cannot expect Microsoft to release additional updates in the future.
In short you need to accept that you are on the Windows 10 branch upgrade train. All aboard! So here are a few tips to get the most life possible out of your Windows 10 versions.
Tip 1: If you are on Enterprise or Education editions the xx09 release each year has a 30-month lifecycle. Plan to get the majority of your Windows 10 systems onto the fall release each year. This will allow you to skip over more versions and still stay supported. So those of you on 1709 will be able to wait for 1909 this fall. When it hits the streets you SHOULD have about six months to transition systems in batches over to 1909 before 1709 hits end-of-service on April 14, 2020.
Tip 2: Get tools in place to handle Windows 10 migrations in short order. Most companies rely on hardware refreshes to transition systems to a new version of the OS. This is not the case anymore. The most you can expect to squeeze out of Windows 10 is about 24 months. This leaves six months to migrate systems if you can move fast. It would be best to have tools and processes in place to track and migrate Windows 10 versions around every 20 months if you are on the Enterprise or Education license. For Pro licenses you have a maximum of 18 months, so you need to upgrade to the next version roughly every 10 to 12 months. Any organization should be able to migrate versions of Windows 10, fully automated, and be able to move the majority of their organization in six to eight months.
Looking ahead
There are a lot of additional end-of-services dates on the horizon and more and more companies are asking questions about these dates. Here are a list of software titles and their respective end-of-service dates:
Windows 7, Server 2008, Server 2008 R2: These three Windows versions will reach end-of-service on January 14, 2020.
Java 8: The final update for Java 8 (commercial) was in January 2019 so this month’s Oracle CPU (April 16) will NOT include a Java 8 (commercial) update. If you have contacted Oracle and are paying for extended support, you are good. Otherwise, you want to consult your legal department and look into how Java 8 is being used. Most organizations will fall into the commercial terms category, which is no longer supported.
Flash Player: While not happening until the end of 2020 I already have questions about Flash Player end-of-service as well. Many companies are looking for alternatives. A few exist, but they may pose difficulties, such as extras bundled with the installers. Community projects are unlikely to get the same level of diligence or attention as the real thing and will still carry all the security risks.
Bottom line, no matter what path you choose for software that is reaching end-of-service there is a cost. Your choices?
1. Upgrade to later systems or replace systems reliant on the end-of-service software. (This is the most secure and supportable option.)
2. Contact the vendor regarding paid support options to continue using the application until you can transition from business-critical apps as needed.
3. Layer on security controls (application control, etc), segregate software by moving it to a VDI environment, limiting access and connectivity (especially to the Internet).
4. Do nothing. Yeah, not really recommended.
All of these options require trade-offs in the forms of cost and risk. You need to pick which is best for your circumstances, but there are no free/easy options.
Browser exploits
Moving into some more immediate news, a small handful of disclosed vulnerabilities on multiple browsers have surfaced.
- On March 30, the details of exploits targeting Internet Explorer and Edge were released by James Lee on Twitter. The exploits abuse same-origin Policy (SOP), which is a security feature implemented to restrict a web-page or script loaded from one origin from interacting with a resource from another origin. In other words, an attacker can use these exploits to steal your data from other sites.
- On April 4, the details of a remote code execution vulnerability were disclosed on researcher Istvan Kurucsai’s blog post on Exodus. The vulnerability would allow the attacker to execute code, but not to escape the browser sandbox. An additional vulnerability would be required to do that.
April Patch Tuesday forecast
- Expect to update browsers this month! The Google Chrome fix is in the pipe. It’s just a matter of when Google will release it. The IE and Edge updates this month may include fixes for the disclosed vulnerabilities.
- Expect the normal OS, browsers and likely a Flash Player update from Adobe.
- We will very likely see some Office updates.
- Oracle is releasing their quarterly CPU on April 16, so expect that the week after Patch Tuesday, but Java 8 is only releasing for personal use as I previously stated. Check your licensing or ensure you have a valid extended support agreement with Oracle if you need to continue patching Java 8.