Applying patches has always been a key part of a security strategy and vendors like Microsoft have regular patch release cycles to improve security, fix bugs and generally improve their products. Patching remains the single most important thing you can do to secure your technology and is why applying patches is often described as ‘doing the basics’. (NCSC).
However, when software products are no longer supported by the vendor, no new patches are released for any security vulnerabilities that are identified. This could expose your IT and data to attack.
This is the case with Microsoft Windows.
• Windows 10 Education, version 1803 and version 1809
• Windows 10 Enterprise, version 1803 and version 1809
• Windows 10 IoT Enterprise, version 1803 and version 1809
• Windows 10 Home, version 1909
• Windows 10 Pro, version 1909
• Windows 10 Pro Education, version 1909
• Windows 10 Pro for Workstations, version 1909
• Windows Server Datacenter, version 1909
• Windows Server Standard, version 1909
In addition, support for the legacy version of the Microsoft Edge desktop application finished in March, therefore the new Microsoft Edge should now be in use to ensure an up-to-date browsing experience.
Lack of support implies that no new security patches for the product will be released. Whilst there have been some recent exceptions to this within Microsoft’s ecosystem for major security problems, this is an exception to normal practise. As a result, these platforms are likely to contain security vulnerabilities moving forward.
We strongly recommend that if you are running any of these operating systems, you should accelerate your upgrade programme to remain on a supported platform.
NCSC also recommends that organisations perform vulnerability assessment of their entire estate on a monthly basis to identify new vulnerabilities so they can be fixed before they are exploited. You can run automated vulnerability assessment tools yourself and there is some useful guidance here Vulnerability management – NCSC.GOV.UK
Alternatively, you can outsource this as a managed service and gain access to cyber expertise whenever you need it. For more information see our Testing as a Service (TaaS).
Got an enquiry? Please don't hesitate to contact us.