Context, wot's that?
"However Microsoft's message to administrators is clear: switch to an alternative"
Microsoft drops surprise Windows Server patch before weekend downtime
Microsoft has released an out-of-band update to patch a critical vulnerability in Windows Server Update Services (WSUS). The update addresses CVE-2025-59287">CVE-2025-59287, a remote code execution flaw affecting Windows Server versions 2012 through 2025. The vulnerability stems from insecure deserialization of untrusted data …
-
-
Friday 24th October 2025 17:03 GMT kmorwath
Re: Context, wot's that?
A cloud based alternative is not an alternative when you use WSUS because your connection is slow enough that several machine attempts to download updates in the gigabyte range is not an option. For the same reason you may have Linux mirrors or at least an apt cache or the like. Or you may wan faster deployment of spun-up VMs dowloading files from the local server.
But it is true that WSUS have not been updated for ages, it has known issues that could be solved with some database tuning, and others that only MS can fix, but for some reason keeping machines patched wasn't one of their main priorities...
-
Friday 24th October 2025 19:41 GMT Fred Daggy
Re: Context, wot's that?
My message to Microsoft : Pull your finger out of your arse and start supporting your damn on-premises systems as first class citizen.
Fix and update WSUS and other so-called “depreciated” systems. You’ve very little that keeps us in your ecosystem. That includes operating system, cloud platform, productivity suite, database and messaging. Competitors on all fronts, get your act together.
-
-
Friday 24th October 2025 18:06 GMT Sandtitz
Re: Only a serious vulnerability if you've already lost your mind.
The MS CVE article talks about using the host's own (Windows) firewall to block access until patching is done. Shirley no-one is exposing WSUS to internet.
This is about zero trust. All your systems should be siloed microsegmented with only the minimum required inbound/outbound access allowed. WSUS should be in its own VLAN, different to the client computers anyway, so you can control and monitor all connections with a firewall.
"Why would anyone, except for reasons of insanity, expose ANY ports on a Windows machine to the Internet at large?"
Please explain how e.g. latest patched Apache Tomcat is more secure when served from Linux instead of Windows.
-
Friday 24th October 2025 13:29 GMT Anonymous Coward
"However Microsoft's message to administrators is clear: switch to an alternative like its cloud-based Intune service."
Intune can only be used for client versions of Windows. If you use WSUS to update servers then the cloudy equivalent for them is Azure Update Manager, which is part of Azure Arc.
-
Friday 24th October 2025 15:55 GMT Jou (Mxyzptlk)
"If the WSUS Server Role is enabled on your server, disable it."
"If the WSUS Server Role is enabled on your server, disable it. Note that clients will no longer receive updates from the server if WSUS is disabled."
Gotta love that humor in the msrc article...
At least it is included int the normal updates for Windows server and not a separate patch...
-
Biting the hand that feeds IT
