The United States NSA urging enterprises and individuals to install the update addressing the BlueKeep vulnerability on Windows systems as soon as possible.
End-of-life doesn’t mean no longer a threat. Microsoft decided to release security updates for no longer supported Windows 2003 and Windows XP systems to fix a bug that could be exploited by a worm.
Even with a regular software update cadence, some vulnerabilities are serious enough to warrant an emergency fix. Microsoft has released an out-of-band update addressing a remote code execution flaw in Internet Explorer.
How do enterprises figure out which security flaws to fix first? Research shows common vulnerability management and remediation strategies are no better than random guesses. Trying to predict which flaws will be exploited and fixing those is a better use of the security teams's time.