If you look at the recent Patch Tuesday lineups, we have seen the usual updates for the Microsoft Windows OS, browsers, and Office. In the last two months we have seen updates for .Net Framework and in the last four months we have seen updates for Exchange Server.
For non-Microsoft updates we have a pre-notification from Adobe, but Oracle released their CPU in January and both Chrome and Firefox just released at the end of January. So the February Patch Tuesday update could be pretty light, but there is a chance for some volume.
We will come back to the forecast in a moment, but let’s switch gears and talk about a few topics that you should be thinking about.
Windows 7, Server 2008 and Server 2008 R2 End of Service
First, Microsoft has announced Extended Security Updates for Windows 7 systems as a pay-per-device service. Some price points have apparently been leaked to the public already, but the model will be a per-device cost with volume breaks and discounts if you are an Enterprise or education customer, and the price will increase year over year.
So, Windows 7 reaches end of support in January 2020 (yes, less than a year away) and the Extended Security Updates (ESU) service will be offered until January 2023. Prices will increase each year. Customers under an ESU contract will also have Office 365 ProPlus support on Windows 7.
On the server-side Windows server 2008 and 2008 R2 will also reach end of service in January 2020. There will be a similar pay-per-server ESU license for continued support for these server platforms. As we are now 11 months away from the end-of-service dates you should be asking the following:
1. Do we have a need for continued use of Windows 7, Server 2008 or Server 2008 R2 in our environment? Or will all systems be retired before the end of service date?
2. If we need to continue service past the end-of-service date how exposed will these systems be? Can they be locked down, segregated from other systems, layered with additional security controls to mitigate risk or do we need to purchase an ESU contract from Microsoft?
3. If we need to purchase an ESU how will we continue to update these systems? Do we have a solution in place that can support the ESU updates?
Most companies are marching toward the Windows 10 migration, but often there are cases where a legacy system will keep older platforms around for a period of time until it can be transitioned. Make sure you have plans in place to reduce the security risk if you need to keep these legacy systems in place for a while.
February 2019 Patch Tuesday forecast
Let’s look ahead to our forecast for Patch Tuesday week:
- Microsoft will have the typical Windows, browser, and Office lineup this month. There is a chance for the Exchange Server streak to continue and potentially .Net Framework for a third month running. We also have not seen SQL server for some time, so if one or more of those products enter Patch Tuesday the volume of updates could increase a bit.
- Adobe has announced a pre-notification for Adobe Acrobat and Reader. Expect that and Adobe Flash Player next week.
- Oracle released their quarterly CPU in January, so if you already tackled Java and other Oracle updates as part of last month’s maintenance you are good. Otherwise ensure you are resolving any of those updates in February.
- Google Chrome and Mozilla Firefox both released at the end of January. There is an off-chance we may see one or both next week, but a lower chance for sure.