Windows Vista - security updates unavailable in Windows Update

[k.d]

Hello,

when googling something about Windows Vista, I found this:

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

The bit of text that caught my attention is:

Quote

These updates are available from the Microsoft Update Catalog only.

Are there any other security updates for Vista that are distributed only via the Microsoft Update Catalog? Is there a list of some sort?

[+BudMan MVC]

Vista?  You mean the product that has been EOL for years.. Even the extended supported ended back in April of 2017..

[k.d]

Yes, this one.

I know it's EOL, but I'm still forced to use it for at least a few more months, no going around that. It's EOL and yet it didn't stop MS from releasing a patch to fix the vulnerability.

[Jason S. Global Moderator]

there are always patches for every MS OS that are Catalog only. i've never seen a concise list.

[+BudMan MVC]

7 hours ago, k.d said:

but I'm still forced to use it for at least a few more months

Yeah the YEARS of notice of EOL are really easy to miss

[k.d]

As I said, there's no other option atm, let's stay on topic

[Nick H. Supervisor]

1 hour ago, k.d said:

As I said, there's no other option atm, let's stay on topic

There may be no other option, but it doesn't change the fact that support ended for Vista a loooong time ago. If security is your concern you're using the wrong OS.

[gborn]

There are several layers of answers.

• First of all, Windows Vista has reached end of life since 2017 - so no more further official updates are available. See also the short blog post Windows Vista reached End of Live (April 11, 2017).
• All old updates released untill the Vista EOL update are still available, to allow updating a fresh install to the latest available patch level.
• But there has been a way to patch Vista beyond the EOL, as I've outlined it within the blog post Windows Vista: Patching beyond EOL till January 2020. The trick was to download updates for Windows Server 2008 from Microsoft Update Catalog and install the packages manually. 

But all good things comes to an end. Since Microsoft has changed it's signing of Update packages to 'SHA-2 only', older operating systems before Windows 8 needs updates for SHA-2 support. So Vista users are running into issues installing frei Windows Server 2008 updates. I've outlined some details and a partial workaround within the blog post Windows Vista: No more unofficial updates due to SHA2. But that's a 'shady solution' so I recommend dumping Windows Vista in environments where machines are connected to the internet. 

[k.d]

And vice versa, Microsoft ending support for Vista a long time ago doesn't change the fact that for a limited time I still have to bear with this system. The patch I mentioned in OP was released this year, which proves MS is still patching a least some vulnerabilities but does not share them via Windows Update for convenience. And that's what I'm trying to get help from you with - getting my hands on all these "hidden" updates. 

I am more than aware I should replace this OS as soon as possible, you really don't have to repeat yourself five times for me to get it, and trust me, it's getting done. Won't get done in a week though, that's why I want to bring this machine to be as up to date as it can for the time being. 

 

EDIT:

Thank you @gborn, I was trying to install WS2008 rollups and I was getting an error about certificates, the link you sent about SHA-2 seems to explain it

BTW the machine is not connected to the internet but to an intranet, but that doesn't change the fact the system is getting replaced. 

 

Edited October 29, 2019 by k.d

[k.d]

Looks like @gborn's post was removed so I'll post an answer.

It seems you can install security rollups for Windows Server 2008 on Windows Vista, but due to lack of SHA-2 support only older updates work. However, installing the KB4493730 update brings support for SHA-2, allowing me to install the latest security rollup.

Thanks for the security lesson guys

[erpster3]

k.d

 

you need to visit the Vista forums and ask there if you really want to install recent Server 2008 updates onto Vista