This article is the second in an eight-part series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
The operating system is the foundation on which everything else runs. Every application, every service, every security control depends on it. When an operating system contains an unpatched vulnerability, that foundation is compromised — and attackers with access to the underlying OS can potentially circumvent every control built on top of it.
Patching operating systems is the second Essential Eight strategy, and while it shares structural similarities with patching applications, it operates at a fundamentally different level of risk.
What the Strategy Requires
The ACSC’s requirements for OS patching mirror the urgency applied to applications, with specific focus on the criticality of the underlying platform.
For internet-facing services — web servers, VPNs, remote desktop services — patches must be applied within two weeks of release, or within 48 hours if a working exploit is publicly known. All unsupported operating systems must be removed from the environment entirely. An end-of-life OS that no longer receives vendor security updates cannot be secured, regardless of compensating controls applied around it.
Regular vulnerability scanning is also required — to verify that patching has been applied successfully and to identify systems that have been missed. At higher maturity levels, the ACSC requires daily scanning of internet-facing services.
The Particular Risk of Unpatched Operating Systems
Vulnerabilities in operating systems are among the most valuable commodities in the attacker ecosystem. An OS-level vulnerability can grant an attacker kernel access, the ability to disable security tools, and a pathway to move laterally across an entire network. Unlike an unpatched application — which may expose one service or one data type — an unpatched OS can expose everything.
In 2017, the EternalBlue exploit — originally developed as a government hacking tool and subsequently leaked — targeted a vulnerability in Windows SMB. Microsoft had released a patch two months prior. WannaCry and NotPetya, two of the most destructive cyberattacks in history, both weaponised EternalBlue against unpatched systems. Organisations that had applied the available patch were largely unaffected. Those that had not faced catastrophic consequences.
The lesson is not that patching is difficult. It is that the consequences of not patching are disproportionate to the effort required.
End-of-Life Operating Systems: A Persistent Problem
One of the most consistently observed vulnerabilities in Australian SMB environments is the continued operation of end-of-life operating systems — particularly older Windows versions that Microsoft no longer supports. Extended Security Updates exist for some products, but they are a temporary measure and carry additional cost.
The ACSC is unambiguous: unsupported operating systems must be removed. No patch will ever be available for a vulnerability discovered in an OS the vendor no longer maintains. Every day such a system remains in production is a day it sits undefended against any newly discovered exploit.
The Relationship Between OS and Application Patching
These first two Essential Eight controls are complementary. Patching applications closes vulnerabilities in the software running on top of the OS. Patching the OS closes vulnerabilities in the platform those applications depend on. Attending to one without the other leaves meaningful gaps.
A business that patches its applications diligently but runs an end-of-life operating system has secured the upper floors of a building with a compromised foundation. The order of priority matters less than the recognition that both are necessary.
This series continues with Essential Eight #3: Multi-factor Authentication.
Further reading: ACSC Essential Eight, Luminol Cyber Hygiene Improvement
