Microsoft has dropped some unwelcome news for system admins, with the company announcing it is deprecating the Windows Server Update Services (WSUS) feature.

Microsoft made the announcement as part of a list of features that have been removed or deprecated in the Windows Server 2025 preview.

Windows Server Update Services (WSUS) is no longer actively developed, all the existing capabilities and content continue to be available for your deployments.

The company’s Nir Froimovici said the move was made in an effort to simplify Windows management.

As part of our vision for simplified Windows management from the cloud, Microsoft has announced deprecation of Windows Server Update Services (WSUS). Specifically, this means that we are no longer investing in new capabilities, nor are we accepting new feature requests for WSUS. However, we are preserving current functionality and will continue to publish updates through the WSUS channel. We will also support any content already published through the WSUS channel.

Needless to say, the news is not sitting well with some admins. Eric Siron, a Microsoft MVP, acknowledged that WSUS has not received much love in recent years, but said deprecating it didn’t seem like the right solution.

Agreed that WSUS is a horrifically underdeveloped nightmare. But, this is not the answer. The answer is modernizing WSUS or replacing it. There’s nothing wrong with having better tools in Azure with an attached price tag. The problem comes from emptying the niche that WSUS occupies.

People need to stop thinking about this as, “I will approach this news on my systems with…” That’s not the problem. Of course, you will come up with a solution that works, and of course you will keep your systems patched. That’s not the point.

Siron points out the potential security implications of WSUS being deprecated, and the increased risk sensitive information will become vulnerable to hackers.

Realize right now that there is a 100% chance that one or more of these organizations has your personal information, credit card numbers, health records, all kinds of things. As soon as WSUS goes away, there’s a 100% chance that your data will wind up on a system that the organization didn’t want to pay to patch, somebody in subordinate.IT.company failed to properly beg someone in IT.company to patch, or OOPSIE somebody didn’t check the monthly patch result on. The risk is bad enough with WSUS. Again, look up Melissa and SQL Slammer. I forgot MSBlast, that one had a patch available before it was ever exploited, too, and still caused all kinds of drama. Anyway, the point is that it doesn’t have to be a system that you’re responsible for to become your problem.

The end of WSUS is a gift to attackers.

It’s clear that Microsoft wants to move people to Azure and its cloud services, but deprecating something like WSUS without providing a replacement solution may end up causing significant headaches down the road.

ActiveX has a long history of posing a security risk within Windows and Office. In its ongoing effort to improve the security of its products, Microsoft is disabling ActiveX controls by default, as described in the Microsoft 365 Message Center.

ActiveX will be disabled by default in Office 2024, affecting Word, Excel, PowerPoint, and Visio. This change occurs in October 2024 for Office 2024 and begins in April 2025 for Microsoft 365 apps. Users can re-enable ActiveX by adjusting Trust Center Settings, the registry, or group policy settings.

The company describes how the change will impact organizations.

Users will no longer be able to create or interact with ActiveX objects in Office documents when this change is implemented. Some existing ActiveX objects will still be visible as a static image, but it will not be possible to interact with them.

Microsoft outlines how to change the setting back, for those companies that need ActiveX controls.

In the Trust Center Settings dialog, under ActiveX Settings, select the Prompt me before enabling all controls with minimal restrictions* option.

In the registry, set HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\DisableAllActiveX to 0 (REG_DWORD).

Set the Disable All ActiveX group policy setting to 0.

CentOS was a popular community Linux distro based on Red Hat Enterprise Linux (RHEL), maintaining full compatibility with its parent distro. Eventually, Red Hat took over the project, killing the distro and ending support for the most recent CentOS 8 much sooner than anyone expected. The older, but more popular, CentOS 7 was slated to go end-of-life (EOL) on June 30, 2024.

Like many companies that relied on CentOS, LinkedIn had to decide on a migration path to move its various systems to a supported Linux distro. Given how much ill will Red Hat created within the Linux community, and among organization that relied on CentOS, it’s not surprising that LinkedIn looked for a non-Red Hat solution. Given that LinkedIn is owned by Microsoft, it’s even less surprising the company opted to go with Microsoft’s Azure Linux distro.

Nonetheless, as LinkedIn’s Ievgen Priadka, Sweekar Pinto, and Bubby Rayber point out in a blog post, moving to Azure Linux helped the company meet two critical goals:

The move to Azure Linux supported two critical goals: providing a modern, secure operating system to reliably serve over 1 billion LinkedIn members worldwide; and delivering innovative new AI-powered features to members faster. Beyond these goals, other critical factors in our decision were cost-effectiveness, customization, scalability, community support, and compliance.

The team then goes on to outline the lengthy process undertaken to ensure a smooth transition, including planning, pilot programs, infrastructure preparation, onboarding teams, data migration, and more. Almost immediately, LinkedIn began to notice improved deployment speed, as well as other benefits, from the move to Azure Linux.

Azure Linux offered our teams a sense of familiarity mixed with novelty. Our core team delivered a series of prototype hosts, which came with a pre-set operating system, to our pilot teams. These hosts helped the teams get accustomed to the new OS, experiment with it, and enjoy the experience of discovering a modern operating system.

The core team also extended personalized, in-depth assistance to help internal partner teams develop compatible software packages and set up operating system components according to the unique needs of different applications. To prepare engineers for the transition to Azure Linux OS, we shared insights from the pilot programs during technical talks, team meetings and casual office conversations.

The transition significantly improved our deployment speed and system reliability, directly enhancing our ability to innovate and respond to market demands. The seamless integration with familiar tools boosted productivity, while extensive support from Azure Linux support team helped us minimize downtime. As a result, we’ve strengthened trust and confidence in our engineering capabilities across our organization, which helps us make the case for future technological advancements and gives us a competitive edge in our operations.

The company touts the “community-driven innovation” along with its relationship with Microsoft as keys to pulling off a successful migration.

The migration of LinkedIn’s fleet to Azure Linux was a strategic decision that entailed numerous considerations and challenges. Its successful execution yielded substantial benefits ranging from cost savings to enhanced security and flexibility. We achieved both critical goals: provide a modern, secure operating system to reliably serve LinkedIn members worldwide; and deliver innovative new AI-powered features to members faster.

By embracing open-source solutions, LinkedIn, in partnership with Microsoft, harnessed the power of community-driven innovation and unlocked new levels of efficiency, agility, and competitiveness. Nevertheless, careful planning, comprehensive training and ongoing support were essential to making the transition smooth and maximizing the long-term value of the migration.

LinkedIn’s entire blog post is very detailed, well worth a read, and provides valuable insights other companies can benefit from when planning a similar OS migration.

Google Cloud has unveiled its latest innovations, aimed at helping companies unify database, analytics and AI.

Google Cloud is the third leading cloud provider, behind AWS and Microsoft Azure. The company is particularly viewed as a good option for machine learning development, and has strong support for open source software.

The company’s latest tools will go a long way toward improving its stand even further, with Dataplex, Datastream and Analytics Hub.

Dataplex is designed to “centrally manage, monitor and govern your data across data lakes, data warehouses and data marts, and make this data securely accessible to a variety of analytics and data science tools.”

Datastream, currently available in preview, helps “move and synchronize data between heterogeneous databases, storage and applications reliably to support real-time analytics, database replication and event-driven architectures with Datastream, our serverless change data capture (CDC) and replication service.”

Analytics Hub is designed to make it easy to “access and share valuable datasets and analytics assets (think BigQuery ML models, Looker Blocks, data quality recipes, etc.) across any organizational boundary.” Those interested will need to sign up for preview access.

The company’s latest tools should go a long way toward helping its customers make the most of their data, as well as AI applications.

Linux distros and desktop environments have been moving toward Wayland, X11’s more modern and secure replacement for years, with the last year seeing a marked acceleration. Fedora has long had a reputation of pushing new technologies forward, and already defaults to Wayland, so it’s no surprise that it would be among the first to stop installing X11 by default.

The change was proposed on the Fedora working group mailing list by Jens Petersen:

I was wondering if we should not stop installing gnome-session-xsession by default in F40 Workstation. I guess if we want to do that it should really happen before the Beta release.
Alternatively it could be done more formally as a Fedora Change for F41, and first in Rawhide.

After quite a bit of discussion, it was decided that Fedora 40’s release was too close to make such a big change, so it was pushed to Fedora 41, as Peterson confirmed two days ago:

Fedora Workstation WG discussed this today and we agreed we should do this for Fedora 41,
since it is really too late already for F40 and it should really be handled as a System Wide Change anyway.

Those whose workflows still depend on X11 will be able to install it from the repos.

Containers are packages containing all the apps, code, libraries and dependencies necessary to run. Containers can be easily moved from one host to another, without worrying about the underlying OS and environment. Containers can also be managed to prevent any one app or process from hogging a system’s resources, making them the ideal way to scale cloud, hosting and IT systems.

Bottlerocket is a new Linux distribution that AWS designed and optimized specifically to work with containers.

“Bottlerocket reflects much of what we have learned over the years,” writes Jeff Barr, Chief Evangelist for AWS. “It includes only the packages that are needed to make it a great container host, and integrates with existing container orchestrators. It supports Docker image and images that conform to the Open Container Initiative (OCI) image format.

“Instead of a package update system, Bottlerocket uses a simple, image-based model that allows for a rapid & complete rollback if necessary. This removes opportunities for conflicts and breakage, and makes it easier for you to apply fleet-wide updates with confidence using orchestrators such as EKS.

“In addition to the minimal package set, Bottlerocket uses a file system that is primarily read-only, and that is integrity-checked at boot time via dm-verity. SSH access is discouraged, and is available only as part of a separate admin container that you can enable on an as-needed basis and then use for troubleshooting purposes.”

AWS is launching a public preview of the OS and inviting others to try it.

Mark Sunday, CIO of Oracle, discussed the increasing need for enterprises to take a holistic, comprehensive, and automated approach towards information security in an interview with Michael Krigsman of CXOTALK:

Security is Increasingly a Big Part of the Discussion

It’s really been interesting to see the dramatic change in the awareness around security. Quite frankly, the threats have gotten much greater. Security is increasingly a big part of the discussion. If I look at the one area that my organization has increased year on year on year, it’s what we’re investing in security. We’re the norm in that. We’re not the exception. Then also the increased sophistication of the threats, the increased sophistication of the tooling, and so forth required, is putting more and more focus on this. It really becomes job one.

I think that boards have now become aware and that they are accountable to assure that the people, the processes, the technology, that all the steps that one needs to do in order to ensure the integrity, confidentially, privacy, and security, of not only a customer’s data, the company’s data, but in fact the employees data as well.

Security is Not Just the Role of the CIO

Security is getting its place at the table, whether it’s within the IT organizations, at the corporate level, or at the board level. Security has always been something that’s been out there, something that we’ve had to take into account, but more recently there have certainly been more high profile incidents that have highlighted just what the impact of security can have. But also it’s been highlighted that you need to have the focus that security is not just the role of the CIO, not just the role of the CISO, but it’s everyone’s responsibility.

It begins with making people aware of what they need to do, what the threats and the vulnerabilities are, and what their role is in defending against that. Security needs to be built into every line of code we write, every configuration we enable, every computer that we manage the configuration asset the patching level on and the updates on. It affects essentially most roles within the organization.

Every Enterprise Has the Security it Deserves

Just given the scale, size, complexity, and the opportunity for human error, you really need to take a holistic, comprehensive, and automated approach towards how you deal with configuration management, change management, and vulnerability management. All of these are key aspects. It’s very difficult if it’s done you know manually. You have to look at a comprehensive program that allows you to simplify, standardize, centralize, and automate all the aspects of how you deal with those things that you know could expose your company to security and privacy concerns.

Every Enterprise has the security it deserves. It begins at the very top. It truly begins with the board, CEO, the Executive Committee, to set the culture and to ensure that the people, process, technology, and the governance processes are in place to ensure the security of customers, companies, and employees information.

Related Articles:

Huge Volume of IoT Data Managed via AI Creates Real Value, Says Oracle VP

Oracle CEO: Applications Market Changes Significantly As It Moves to Cloud

Oracle CEO: Three Big Things in the Gen 2 Cloud… Security, Security, Security

The developers announced the OpenCore 1.0 release on GitHub, paving the way for users to install macOS Sonoma on Macs that would otherwise be left out in the cold.

With the release of OpenCore Legacy Patcher 1.0.0, we’re proud to announce macOS Sonoma support! And with it, 83 unsupported Mac models will be able to run Apple’s latest OS!

With it, we’ve finally made the jump to 1.0.0! Going forward, we’ll be following the semantic versioning system to help streamline releases.

With macOS Sonoma, we spent many months working tirelessly to get these old machines running. And because of the sheer number of different hardware we support and the challenges of working on a closed-source operating system, not all features are currently available.

Users interested in OpenCore can learn more here.

Cloudflare is one of the leading content delivery networks (CDN), used by companies in a range of industries. The company’s Richard Boulton said it originally built its platform on native Linux services, but outlined some of the challenges the company faced:

The structure of the code limits the ease of making changes. While some changes are easy to make, other things run into surprising limits due to the underlying platform. For example, it is not possible to perform I/O in many parts of the code which handle HTTP response processing, leading to complex workarounds to preload resources in case they are needed.

Deploying updates to the software is high risk, so is done slowly and with care. Massive improvements have been made in the past years to our processes here, but it’s not uncommon to have to wait a week to see changes reach production, and changes tend to be deployed in large batches, making it hard to isolate the effect of each change in a release.

Finally, the code has a modular structure, but once in production there is limited isolation and sandboxing, so tracing potential side effects is hard, and debugging often requires knowledge of the whole system, which takes years of experience to obtain.

Boulton says the company is taking a cautious approach to the rebuild, tackling those parts of its infrastructure that make the most sense to swap out:

Our systems are a lot more complicated than they were in 2013. The approach we’re taking is one of gradual change. We will not rebuild our systems as a new, standalone reimplementation. Instead, we will identify separable parts of our systems, where we can have a concrete benefit in the immediate future, and migrate these to new architectures. We’ll then learn from these experiences, feed them back into improving our platform and tooling, and identify further areas to work on.

Modularity of our code is of key importance; we are designing a system that we expect to be modified by many teams. To control this complexity, we need to introduce strong boundaries between code modules, allowing reasoning about the system to be done at a local level, rather than needing global knowledge.

The entire blog post is extremely detailed and a recommended read for anyone interested in better understanding the ins and outs of CDN infrastructure design.

According to Hacker News, six of the vulnerabilities are rated Critical and 32 are Important. The most important is CVE-2023-29336, which is being actively exploited in the wild, although just how much is still unknown:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

All users should update immediately to protect their systems.

In a blog post outlining Microsoft’s Windows roadmap, the company says there will be no more major updates to Windows 10:

As documented on the Windows 10 Enterprise and Education and Windows 10 Home and Pro lifecycle pages, Windows 10 will reach end of support on October 14, 2025. The current version, 22H2, will be the final version of Windows 10, and all editions will remain in support with monthly security update releases through that date. Existing LTSC releases will continue to receive updates beyond that date based on their specific lifecycles.

For organizations that want to remain on Windows 10 as long as they can, the company recommends updating to the 22H2 release as soon as possible to continue to get the latest security and bug fixes.

• We highly encourage you to transition to Windows 11 now as there won’t be any additional Windows 10 feature updates.
• If you and/or your organization must remain on Windows 10 for now, please update to Windows 10, version 22H2 to continue receiving monthly security update releases through October 14, 2025. See how you can quickly do this via a servicing enablement package in How to get the Windows 10 2022 Update.

Wing Security analyzed more than 550 companies to gain insight into the state of SaaS application usage. A disturbing issue was the prevalence of “Shadow IT,” a term used for when employees use apps and services that are not provided or vetted by the company’s IT department.

According to the study, in large part as a result of Shadow IT, “in a staggering 84% of companies, employees were using an average of 3.5 SaaS applications that were breached in the past 3 months.”

Wing Security attributes this to the decentralized, easy access to SaaS apps:

This occurs because of the decentralized and ungoverned nature of SaaS applications. When an employee needs a quick fix to a problem or a tool to help them do their job, chances are they will “Google it” and find a SaaS application, often a free one or with a free version, to help them. These “quick fixes” often completely by-pass company procedures. It is important to keep in mind that as small and benign as an application may seem, it can still be connected (with high permissions) to one of the organization’s major SaaS applications such as Salesforce, Slack, Zoom and others.

Another major concern was the number of data permissions apps had, including apps that were not even in use. According to the company, some “76% of all permissions that were given to applications by the users were not in use for over 30 days.”

In many cases, the need for SaaS applications is in question, with a slight majority of such apps only being used by a single employee. According to Wing Security, “55% of SaaS applications are used by only one employee, raising questions about their necessity – and making it unlikely that they were known and protected by the security team.”

Another major concern is outside access. According to the company, “20% of SaaS users to be external to the organization. These are contractors, freelancers or agencies that your employees work with and have received access to your SaaS applications.”

SaaS use is on the rise, with many companies seeing it as a way to keep costs down while scaling to meet demand. Unfortunately, it appears the industry still has a long way to go before SaaS deployment matches the security of other options.

LinuxONE Bare Metal Servers are based on the s390x processor architecture. The company says that customers “can select from a set of pre-configured profiles with corresponding amounts of memory and storage to run workloads that are highly performant on the LinuxONE platform.”

IBM has been transforming itself into a hybrid cloud company, and the new LinuxONE servers fit perfectly into that model. The servers can be deployed on-site or off, giving customers the necessary flexibility to meet their needs.

Flexible consumption options are available in both an on-premises and off-premises environment. Companies choose to use LinuxONE for a variety of Linux-based workloads, such as database scalability or application modernization with Red Hat OpenShift Container Platform.

IBM also emphasizes the environmental benefits of using LinuxONE Bare Metal Servers.

LinuxONE is designed to help support green IT efforts. For example, consolidating Linux workloads on five IBM LinuxONE Emperor 4 systems instead of running them on compared x86 servers under similar conditions can reduce energy consumption by 75%, space by 50% and the CO2e footprint by over 850 metric tons annually.

Interested parties can get started via the IBM Bare Metal Servers provisioning page, or learn more via the documentation.

Nextcloud is the open source cloud platform that provides powerful alternatives to commercial products. EU governments, ever eager to reduce reliance on Big Tech, are increasingly looking to the platform as an option. In fact, the European Data Protection Supervisor recently migrated to Nextcloud:

Open Source Software offers data protection-friendly alternatives to commonly used large-scale cloud service providers that often imply the transfer of individuals’ personal data to non-EU countries. Solutions like this may therefore minimise reliance on monopoly providers and detrimental vendor lock-in. By negotiating a contract with an EU-based provider of cloud services, the EDPS is delivering on its commitments, as set out in its 2020-2024 Strategy, to support EUIs in leading by example to safeguard digital rights and process data responsibly.”

Wojciech Wiewiórowski, EDPS

The upcoming end of SharePoint Server support has created a situation where governments are eager to avoid vendor lock-in, making Nextcloud an even more appealing proposition.

As a result, Nextcloud has received a significant increase in interest from EU governments, with German state Schleswig-Holstein already making the switch from SharePoint to Nextcloud, and many others beginning to follow suit.

Nextcloud’s initiative to offer a digitally sovereign, open-source alternative to Microsoft Sharepoint is to be welcomed. That’s why we work together with Nextcloud to optimize Nextcloud Tables.

Ralf Sutorius, Leitender IT-Architekt, Stadt Köln

It’s a refreshing turn of events to see a powerful, open source alternative gain more widespread use.

According to Windows Latest, the problem has been going on for months, but seems to be impacting the most recent security and essential updates. It is impacting some optional updates as well.

KB5022303, the mandatory security update and essential for Windows 11 users, is failing with mysterious error messages, with 0x800f0831 being the most common error code. This bug is also hitting KB5022360, which is the latest optional update for Windows 11.

While failed updates are bad enough, cryptic error messages that do not provide any assistance make it that much more difficult to troubleshoot.

While Microsoft is aware of the situation, there has been no word yet on a possible fix.

Ubuntu is the most widely-used Linux distro, providing excellent hardware support and ease of use. Canonical releases interim releases every six months, with LTS (long-term support) releases every two years. LTS releases offer five years of support and security patches.

The new Ubuntu Pro subscription extends LTS support to a full ten years while also improving security. In particular, Ubuntu Pro adds security patch support for the 23,000 packages in the Ubuntu Universe repo, outside of the 2,300 packages in the Ubuntu Main repo.

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available. Ubuntu Pro, released in beta in October last year, helps teams get timely CVE patches, harden their systems at scale and remain compliant with regimes such as FedRAMP, HIPAA and PCI-DSS.

The new plan also features optional phone/ticket support.

“I manage my own compute cluster leveraging MAAS and other Canonical tools to support my research. The open source security patches delivered through Ubuntu Pro give my team peace of mind, and ensure my servers are secure. Canonical is continuously delivering timely CVE patches covering a broad portfolio of open source applications for the entire ten-year lifetime of an Ubuntu LTS. This brings much needed stability and compliance”, said David A Gutman, MD PhD, Associate Professor of Pathology, Emory University School of Medicine.

The subscription is available for free to personal and small-scale commercial users for up to five machines. The standard subscription is available for $25 per workstation per year or $500 per server per year.

Patch Tuesday is Microsoft’s term for when it releases updates and security fixes for Windows. The first Patch Tuesday of 2023 fixes a slew of issues, including 11 critical and 87 important issues. One of them, CVE-2023-21674, is currently being exploited.

Microsoft offers the following description of the zero-day exploit:

This vulnerability could lead to a browser sandbox escape.

Once the vulnerability is exploited, an attacker can achieve the following:

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

All users should update immediately.

Microsoft has issued a knowledge base article detailing possible data loss issues as a result of the latest Vector Advanced Encryption Standard (AES). The impacted hardware will have either AES XEX-based tweaked-codebook mode with ciphertext stealing (AES-XTS) or AES with Galois/Counter Mode (GCM) (AES-GCM).

The company says a recent change in Windows caused the issue.

We added new code paths to the Windows 11 (original release) and Windows Server 2022 versions of SymCrypt to take advantage of VAES (vectorized AES) instructions. SymCrypt is the core cryptographic library in Windows. These instructions act on Advanced Vector Extensions (AVX) registers for hardware with the newest supported processors.

Microsoft recommends customers upgrade to the latest preview releases.

To prevent further data damage, we addressed this issue in the May 24, 2022 preview release and the June 14, 2022 security release. After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release).

To prevent further data damage, we addressed this issue in the May 24, 2022 preview release and the June 14, 2022 security release. After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release).

More information can be found here.

Windows updates are already one of the most frustrating part of many users’ daily lives. The process is long and involved, and happens far more often than many users would like. To make matters worse, updates fail at times, leading to a whole slew of additional issues.

According to David Guyer, on the company’s Windows IT Pro Blog, users should be allocating at least eight hours for updates.

“Microsoft has invested significant effort into understanding why Windows devices are not always fully up to date,” writes Guyer. “One of the most impactful things we explored was how much time a device needs to be powered on and connected to Windows Update to be able to successfully install quality and feature updates. What we found is that devices that don’t meet a certain amount of connected time are very unlikely to successfully update. Specifically, data shows that devices need a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably update. This allows for a successful download and background installations that are able to restart or resume once a device is active and connected.”

It’s a safe bet no one is going to be happy with this recommendation, from home users to IT managers.

On Linux, Unix, macOS, and other Unix-style operating systems, the root account has ultimate access to the system. As a result, when a user account is set up, it doesn’t have root access as a way of protecting the system from accidental damage.

Unfortunately, according to security firm Qualys, there is a major flaw in the popular polkit’s pkexec utility that is included in every major Linux distro. Qualsys’ Bharat Jogi, Director, Vulnerability and Threat Research, describes the role polkit plays in Unix-style systems.

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

When the vulnerability is exploited, a regular user is able to gain root privileges, completely compromising the system. Unfortunately, Qualsys says the vulnerability has been in existence for 12+ years, since at least May 2009.

Qualsys has already notified all vendors and recommends users install security patches for their distro immediately.