05.01.20 UPDATE:  Beginning Thursday, May 21, 2020, Systems Engineering will be moving forward with our patching service changes. We initially scheduled these for March, but then delayed as we all adjusted to working from home due to the pandemic. Our patching service changes are in response to Microsoft's new way of servicing Windows, which you can read more about in this blog post.

Beginning Thursday, March 19, 2020 May 21, 2020, Systems Engineering will be enhancing our patching services. Before we communicate these enhancements, it's essential to understand the motivation behind them. Our patching service changes are in response to Microsoft's new way of servicing Windows known as Windows as a service.  

You may recall from our previous blog post in October that Microsoft will replace the core terms of their customer agreement for all existing and new Microsoft customers after January 31, 2020. This new Microsoft Customer Agreement (MCA) is said to improve the purchase experience to better support all customers.

Yesterday Microsoft announced and delivered a fix for a serious vulnerability in Windows 10 cryptography function (CVE-2020-0601). The NSA had previously discovered and notified Microsoft to develop a solution. Microsoft also stated that they had seen no exploit of this vulnerability to date. The vulnerability would allow an attacker to disguise their malicious software as a valid and certified piece of code; thereby spoofing the Windows 10 PC or Windows Server 2019 into thinking it is legitimate code that can be trusted and therefore executed.

The time for Windows 7 has come and gone. As of January 2020, Microsoft stopped providing extended support for the popular operating system. While Extended Security Updates (ESU) are available for the Professional and Enterprise editions of Windows 7, this option comes at an increasing cost to organizations. It's critical to start planning your migration to Windows 10 now. 

Citrix recently published a critical security bulletin (CVE-2019-19781) advising users of a vulnerability in the Citrix Application Delivery Controller (ADC) device formerly known as NetScaler ADC, Citrix Gateway, and NetScaler Gateway. If exploited, it can allow an unauthenticated attacker to execute code on the appliance that can lead to possibly compromising a critical perimeter security component. Many organizations rely on these devices as load balancers to control access from the outside to internal Citrix Servers and to terminate SSL VPNs.

Cisco recently released a collection of 10 security advisories against Cisco's Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software. The collection includes a few high-risk vulnerabilities that affect File Transfer Protocol (FTP) Inspection, Session Initiated Protocol (SIP) inspection that could lead to a denial-of-service condition. Importantly, Cisco is not aware of any public exploitation of the vulnerabilities. 

This month, Microsoft began the transition to a new customer agreement, which replaces the core terms for all Microsoft customers. Their goal is to improve the purchase experience to better support all customers. They also had some important security-related reasons for the change, including;