Today’s technology world moves rapidly, with continuous updates to the software companies depend on. This is true for operating systems too – vendors regularly release new version of an operating system (OS) which means an OS that has just been put in use can rapidly become outdated.

At some point every piece of software, including operating systems, reach a point called end of life. To limit the resources spent on supporting an OS, vendors set strict end of life dates for an operating system – after which official support, including fixes for security vulnerabilities, stops.

Relying on an end of life (EOL) operating system is a big risk, but it is nonetheless common for businesses to continue depending on an operating system that’s no longer supported simply because the alternative of upgrading or changing to a different OS is too expensive or too inconvenient.

CASE IN POINT: WANNACRY AND END OF LIFE WINDOWS

End of life operating systems present opportunities for cybercriminals. An OS that’s no longer supported will have known vulnerabilities, and because support has ended, the vendor won’t issue patches for these known vulnerabilities.

An attacker can rely on a known vulnerability to attack a business. Companies that rely on an end of life operating system may experience malware attacks that lead to service disruption and data loss.

This is what happened in May 2017. As reported by TripWire, a massive cyberattack occurred where the WannaCry exploit was used to target hundreds of thousands of companies who were still using Windows XP – an operating system that reached end of life in 2014.

Companies that still used Windows XP did not get Microsoft’s security bulletins and never installed the patch that could fix a months-old Windows vulnerability which was called EternalBlue. The situation was so bad that Microsoft released an emergency patch for Windows XP, even though Windows XP had reached end of life.

It’s just one example of a vulnerability in an EOL operating system that was exploited successfully.

So, what are the risks of an EOL OS?

There are “valid” reasons for using an end of life OS, and we’ll talk about these in a later section. But even where companies have a good reason for keeping an unsupported OS in place the risks are significant – and almost always outweigh the benefits or any other rationale of using an EOL operating system.

Compliance and legal risk

With cybersecurity such a daunting problem, numerous legal and compliance requirements have stepped in to ensure that companies meet minimum data security standards to keep customers and clients safe.

It is common for these requirements to include a statement about official vendor support for software, and to deem the use of end of life software as non-compliant. Non compliance can lead to stiff penalties.

Companies that deploy an EOL operating system risk everything from fines through to losing their right to operate in their field. Where it can be proven that a successful attack was due to negligence, the use of end of life software being a prime example, companies may also be at the sharp end of legal proceedings because those impacted by the breach will seek redress.

Outdated and incompatible solutions

We said at the outset that technology moves quickly. Companies that harness the latest tech benefit in many ways. For example, offering better products and features to their customers, and a better experience for employees.

EOL software is by definition outdated software – missing a range of the latest features and benefits. Aside from leaving technology solutions in the slow lane, outdated software produces a further problem: a lack of compatibility. By relying on an end of life OS companies risk running into compatibility problems which will have a growing impact as time moves on.

Problems with reliability

One of the impacts of incompatible software is issues with reliability. Inevitably some elements of a technology solution will be upgraded: if the OS that the solution depends on is end of life, the operating system will be out of step with the rest of the solution.

This will lead to reliability problems as vendors will code with a certain functional expectation in mind, only for EOL software to lack the required functionality. In other words, a simple vendor update of a software component can break a solution due to an EOL operating system.

Growing costs

It is also worth noting that end of life software, including an EOL operating system, can represent a false economy. Yes, companies can save money by delaying an upgrade – but the maintenance of end of life software will grow with time as customized solutions need to be found to fix problems where vendor support no longer kicks in.

Similarly, EOL operating systems can lead to expensive reliability problems that drive up costs beyond the savings realised from postponing an upgrade. Worse, as suggested above, outdated software can lead to compliance and legal problems that may lead to incredibly expensive fines.

Security risks

Last, we address the biggest issue with relying on end of life software: the significant security risks implied by using software that is no longer supported. By definition, EOL operating systems will not get security fixes and updates that protect users against known vulnerabilities.

Instead, these security risks will be known to the public, including hackers, but there will be no patch that can protect users against the risk where hackers decide to exploit it. A single critical bug that is not patched due to a lack of official support can lead to an expensive cybersecurity breach.

WHY COMPANIES END UP RELYING ON AN END OF LIFE OS

The problems that can emerge when companies rely on an unsupported operating system are clearly significant, but nonetheless EOL software is common in the enterprise environment. It is understandable to some degree, as there are rational reasons for relying on unsupported software.

Workload-specific requirements

It can happen that features, capabilities, or characteristics of an EOL operating system is dropped as a vendor progresses through updates. Sometimes companies depend on these features for their solutions, and the fact that the newer OS does not have these features may mean that solutions break, or that expensive remedial efforts are required to sustain functionality.

Where this happens companies can be stuck in a difficult position – unable to migrate to a supported OS because they are unable to design a workaround that ensures ongoing functionality under the new operating system.

Resources are limited

Technology solutions are more often than a matter of trying to get as much done with as little as possible. The result is that companies will try and shift funds around to meet competing priorities. Often, updating software is seen as a lower priority – compared to desired new features or indeed day to day running costs.

The fact is, in the competition for resources, there may simply be more important priorities than upgrading a perfectly functional operating system even if it is end of life. It also comes down to time – does a company have the necessary staff to be able to perform upgrades in a confident manner

Migration challenges

Closely tied to resource limitation is the potential problems around executing a migration. Particularly in the case where deployments are very large in scale, migration become so complex and so challenging that it can seem as if there is no realistic route to upgrading an OS – and that simply keeping in place the existing OS is the most sensible option.

This can also happen where migration involves complex, interacting systems that stretch across departments and across independent organizations. In fact, in rare instances migration risks can outweigh the security risks associated with an unsupported OS.

Lack of accountability

Finally, for some companies, accountability is a problem: in other words, there is no party ultimately responsible for managing the end of life status of software. This can be due to a leadership deficit, or as a result of poor organizational structure.

It may also be a practical matter – for example, where no party has authority over technology solutions, again an issue particularly where technology capabilities are shared. Under these circumstances companies can find that there is no-one willing to take on the risk or responsibility of migration, and as such the migration is never performed.

CENTOS 6 – AN EXAMPLE OF RETAINING AN EOL OPERATING SYSTEM

Late in 2020, Red Hat announced that it will no longer produce the fork of Red Hat Enterprise Linux, CentOS, as a stable release. Red Hat essentially accelerated the end of life of the entire CentOS product as a stable release. In other words, companies who rely on CentOS 6 have no realistic upgrade path.

The only option for these companies is to switch to another OS, or to pay for Red Hat Enterprise Linux. This situation around CentOS 6 is typical of the rationale some companies may use to continue using an operating system that is not supported.

It’s not an unreasonable way of thinking about end of life operating systems, but the fact that the upgrade path from CentOS 6 is challenging should not outweigh the fact that relying on CentOS 6 create large security risks.

Endless opportunities for exploits

As much as there are valid reasons for considering the use of an EOL operating system, the problem remains that new and novel security breachers keep coming hard and fast – and unpatched, end of life software just leaves the door open.

Take the emerging threat of crypto miners. At a rapid pace, hackers have started to deploy resource-hungry cryptomining software by illicit methods – taking advantage of weaknesses in Windows and Linux to install software that builds profits for the hacker, at the expense of the company that owns and operates the computing resources.

It’s a particularly insidious threat, and illustrates how relying on outdated, unsupported software can have unexpected consequences. In this case, an unpatched, EOL operating system can mean that a company’s resources are diverted to cryptomining, leading to higher expenses and problems with reliability and availability.

CONSIDER EXTENDED SUPPORT INSTEAD

There is, however, a workaround for some end of life operating systems. First, some vendors offer extended support – the opportunity to pay, sometimes rather large sums, to enjoy ongoing support for an operating system that no longer enjoys general support. It’s called extended lifecycle support (ELS), and where vendors offer this companies that take advantage of extended support will still remain compliant and secure – but at a price.

In a few cases, third parties offer extended support for an operating system. For example, here at TuxCare, we offer extended lifecycle support for a range of Linux-based server operating systems, including CentOS 6.

Extended Lifecycle Support from TuxCare includes comprehensive vulnerability patching to ensure that any new vulnerabilities that are discovered in a supported operating system, such as CentOS 6, are immediately covered by a patch from TuxCare.

What’s more TuxCare support is available at a far lower price than equivalent vendor support. For example, our CentOS 6 ELS is only a fraction of the price of the Red Hat equivalent.

Either way, companies that purchase extended support buy breathing room to upgrade the OS that they depend on. ELS means companies can obtain the resources to undergo migration, plan migration carefully, or simply find alternative solutions. Most importantly, ELS covers companies for security risks while the end of life OS is in place.

[“source=blog.tuxcare”]