Will you provide all security patches that would otherwise be delivered via Microsoft's Extended Security Updates?

mitja.kolsek -

We can't guarantee that. Microsoft's Extended Security Updates (ESU) will include Critical and Important security patches for Windows 7 and Windows Server 2008 according to their definition in Microsoft's Security Update Severity Rating System.

Our criteria for micropatching a vulnerability are specified here and are not identical to Microsoft's; while we expect ours and Microsoft's criteria to mostly overlap when it comes to high-risk vulnerabilities, it may happen that we will decide not to micropatch some vulnerabilities Microsoft will include in ESU, but also that we will micropatch issues on Windows 7 or Windows Server 2008 that aren't included in ESU.

Furthermore, it may happen that for whatever technical or other reason, we won't be able to port a security fix to Windows 7 or Windows Server 2008 as a micropatch (e.g., we may not be able to obtain a proof-of-concept for triggering the vulnerability while the vulnerability is already getting exploited in the wild, or the vulnerability may be in code that can't be micropatched). If that should happen, we'll provide recommendations for users to mitigate such vulnerability on their computers in some other way.

Have more questions? Submit a request


Please sign in to leave a comment.