Organizations that still use Windows Server 2003 got a surprise on June Patch Tuesday, with a Microsoft security update for the unsupported server operating system.
A month after the company issued patches for legacy systems to ward off the WannaCry ransomware attacks that affected thousands of computers, Microsoft released a free patch for Windows Server 2003, which has been unsupported since 2015. Microsoft addressed the exploit used in the WannaCry attacks in its March Patch Tuesday, but that only applied to supported Windows systems. The company later issued updates to protect unsupported Windows XP, Windows 8 and Windows Server 2003 operating systems.
This most recent course reversal -- which also applies to other unsupported systems, such as Windows XP -- comes alongside June Patch Tuesday updates that addressed an eye-opening 94 vulnerabilities.
"In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations," Adrienne Hall, general manager of Microsoft's Cyber Defense Operations Center, wrote in a blog post. Hall indicated Microsoft chose to issue these additional security updates to protect unsupported systems from threats that may be similar to WannaCry.
Microsoft encourages businesses to migrate from legacy systems, such as Windows Server 2003, through end-of-life support deadlines. By releasing a security update for an unsupported product, Microsoft risks setting a precedent that businesses can stay with legacy products and still receive critical security updates.
In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, cautioned that this "should not be viewed as a departure from our standard servicing policies," and businesses will be best-served by staying on Microsoft's roadmap with supported Windows systems.
"It's sort of a double-edged sword," said Amol Sarwate, director of vulnerability labs for Qualys Inc., based in Redwood City, Calif. "For things like WannaCry, when the exploitation is so high and everyone and anyone is affected, Microsoft did the right thing by releasing patches for an end-of-life operating system."
At the same time, "if they do this more often, people will start thinking the patches will be there, and that takes them away from the goal of moving away from the old operating systems," he said.
Patch for in-the-wild vulnerability
Of the 94 vulnerabilities Microsoft identified for June Patch Tuesday, 27 are remote code execution (RCE) exploits that could allow an attacker to take control of a machine.
Sarwate said the top priority for Windows Server administrators should be CVE-2017-8543, which affects Windows Server 2008 and above, and is currently exploited in the wild. On an unpatched system, attackers can send a specially crafted Server Message Block request to the Windows Search service to gain control of a computer.
Administrators should give prompt attention to address CVE-2017-8507, an RCE vulnerability in Microsoft Outlook an attacker could use to gain control of a system when a user views an email message, Sarwate said.
For more information about the remaining security vulnerabilities released on June Patch Tuesday, visit Microsoft's Security Update Guide.
Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at email@example.com.
How to adapt to Microsoft's patching changes
New patching process may mean less control
Security Update Guide brings growing pains