Is it just me or does Microsoft continue to confuse the masses of exactly how the “extended security update” program works. Perhaps the confusion is a vital part in that they want you to have upgraded to Windows 10 four to five years ago.
However, there are many institutions that need to keep their legacy Windows 7 / Server 2008 (R2) machines up to date. For details on how to keep the update coming, Kurt Mackie gives a thorough breakdown here of what needs to be done as well as what is required to accomplish this task.
I have to say that for a story like this, a picture truly does say 1,000 words. And in the case of companies like Avast that have historically offered a good free antivirus program, just know that there’s no such thing as free and that there is always a price to pay. In this case, your browsing freedom is being spied on.
As the article’s summary states:
Avast is harvesting users’ browser histories on the pretext that the data has been ‘de-identified,’ thus protecting your privacy. But the data, which is being sold to third parties, can be linked back to people’s real identities, exposing every click and search they’ve made.
Check out the full article written by Michael Kan here for the full scoop!
According to Microsoft’s security update guide, a spoofing vulnerability that utilizes the Crypt32.dll file can be used to control a machine at will.
As stated within the emergency bulletin:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Good news is that Microsoft has already released a patch to close the loophole so make sure you take care of this ASAP!
At last, the time has come. Today marks the last day of free security updates for the legacy OS. For those of you that still plan on using it for the foreseeable future, it may be in your best interests to bit the bullet and spend the extra $50-60 for an additional year of coverage.
For more info on the extended security updates (ESUs), head to Microsoft’s site and check out their FAQ sheet here…