• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Windows Vista - security updates unavailable in Windows Update

Recommended Posts

k.d    1

Hello,

when googling something about Windows Vista, I found this:

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

The bit of text that caught my attention is:

Quote

These updates are available from the Microsoft Update Catalog only.

Are there any other security updates for Vista that are distributed only via the Microsoft Update Catalog? Is there a list of some sort?

Share this post


Link to post
Share on other sites
+BudMan    3,585

Vista?  You mean the product that has been EOL for years.. Even the extended supported ended back in April of 2017..

Share this post


Link to post
Share on other sites
k.d    1

Yes, this one.

I know it's EOL, but I'm still forced to use it for at least a few more months, no going around that. It's EOL and yet it didn't stop MS from releasing a patch to fix the vulnerability.

Share this post


Link to post
Share on other sites
Jason S.    1,525

there are always patches for every MS OS that are Catalog only. i've never seen a concise list.

Share this post


Link to post
Share on other sites
+BudMan    3,585
7 hours ago, k.d said:

but I'm still forced to use it for at least a few more months

Yeah the YEARS of notice of EOL are really easy to miss ;)

Share this post


Link to post
Share on other sites
k.d    1

As I said, there's no other option atm, let's stay on topic :)

Share this post


Link to post
Share on other sites
Nick H.    10,113
1 hour ago, k.d said:

As I said, there's no other option atm, let's stay on topic :)

There may be no other option, but it doesn't change the fact that support ended for Vista a loooong time ago. If security is your concern you're using the wrong OS. ;)

  • Like 1

Share this post


Link to post
Share on other sites
gborn    2

There are several layers of answers.

  • First of all, Windows Vista has reached end of life since 2017 - so no more further official updates are available. See also the short blog post Windows Vista reached End of Live (April 11, 2017).
  • All old updates released untill the Vista EOL update are still available, to allow updating a fresh install to the latest available patch level.
  • But there has been a way to patch Vista beyond the EOL, as I've outlined it within the blog post Windows Vista: Patching beyond EOL till January 2020. The trick was to download updates for Windows Server 2008 from Microsoft Update Catalog and install the packages manually. 

But all good things comes to an end. Since Microsoft has changed it's signing of Update packages to 'SHA-2 only', older operating systems before Windows 8 needs updates for SHA-2 support. So Vista users are running into issues installing frei Windows Server 2008 updates. I've outlined some details and a partial workaround within the blog post Windows Vista: No more unofficial updates due to SHA2. But that's a 'shady solution' so I recommend dumping Windows Vista in environments where machines are connected to the internet. 

  • Thanks 1

Share this post


Link to post
Share on other sites
k.d    1

And vice versa, Microsoft ending support for Vista a long time ago doesn't change the fact that for a limited time I still have to bear with this system. The patch I mentioned in OP was released this year, which proves MS is still patching a least some vulnerabilities but does not share them via Windows Update for convenience. And that's what I'm trying to get help from you with - getting my hands on all these "hidden" updates. 

I am more than aware I should replace this OS as soon as possible, you really don't have to repeat yourself five times for me to get it, and trust me, it's getting done. Won't get done in a week though, that's why I want to bring this machine to be as up to date as it can for the time being. 

 

EDIT:

Thank you @gborn, I was trying to install WS2008 rollups and I was getting an error about certificates, the link you sent about SHA-2 seems to explain it :)

BTW the machine is not connected to the internet but to an intranet, but that doesn't change the fact the system is getting replaced. 

 

Edited by k.d

Share this post


Link to post
Share on other sites
k.d    1

Looks like @gborn's post was removed so I'll post an answer.

It seems you can install security rollups for Windows Server 2008 on Windows Vista, but due to lack of SHA-2 support only older updates work. However, installing the KB4493730 update brings support for SHA-2, allowing me to install the latest security rollup.

Thanks for the security lesson guys ;)

  • Like 1

Share this post


Link to post
Share on other sites
erpster3    36

k.d

 

you need to visit the Vista forums and ask there if you really want to install recent Server 2008 updates onto Vista

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.