Before Christmas we unleashed a flurry of articles around the potential for Windows Server 2003 to be extremely vulnerable to hackers, when patches stop.
It turns out this is happening a little bit earlier than anyone anticipated, at least for this vulnerability. A 15-year-old bug that allows malicious code execution in all versions of Windows has just been patched by Microsoft but not for Windows 2003. (See here for the full story)
The new vulnerability - which Microsoft classifies as MS15-011 and the researcher who first reported it calls Jasbug – is another sign of things to come for Windows 2003 “The Abandonment”.
As MAXfocus Security Lead for LogicNow my role is to help identify and anticipate areas of potential harm for the MSP community and by extension the customers of the MSPs worldwide. Months ago we were alarmed at the number of Windows Server 2003 platforms still in operation and although many MSPs are moving their customers along the upgrade path – many folks are more cavalier. Disclosure of this issue is the first in a long line of potential exploits that will target this operating system’s exposed, Internet-facing services.
Complacency is simply not an option – action must be taken before Windows 2003 systems are compromised by cyber criminals.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.