The Risks of Running an End Of Life OS – And How To Manage It
It’s impossible to avoid change in technology – by definition, technology always moves forward. And that’s generally great news, but keeping up with the changes can be another story.
Constant change means that technology has a limited lifespan. Yes, you can carry on using something beyond its lifespan, but doing so has consequences. For end-of-life (EOL) software, the consequences include instability, high maintenance, and – of course – massive security risks.
In this article, we explain what end-of-life software is, why organizations should never rely on end-of-life software, and how third-party support can help.
Software Has an End Of Life Too
Software vendors constantly release new versions of software. New features, bug fixes, and so on are all wrapped up in a new release. At the same time, the vendor will continue to support the old release, including by pushing security updates if needed.
This happens for everything from productivity software to operating systems.
However, a vendor cannot support an older version of its software indefinitely. Imagine trying to support an OS that is thirty years old. It’s possible, but it would be a huge drain on resources – and somewhat pointless.
To limit the resources spent on supporting an OS, vendors set end of life dates for an operating system, after which official support – including fixes for security vulnerabilities – stops. At some point, every piece of software, including operating systems, reaches a point called end of life.
And this is a major hazard for any users who are still relying on the old release. Yes, things can simply stop working once software reaches end of life – but that’s just a small part of the risk. The major problem with end of life software comes down to security. If the vendor no longer releases patches for security vulnerabilities, the user simply can’t keep their system patched and will be relying on vulnerable software.
Unfortunately, despite the risk, it is nonetheless common for businesses to continue depending on an operating system that’s no longer supported, simply because the alternative of upgrading or changing to a different OS is too expensive or too inconvenient.
Case In Point: WannaCry and End-of-Life Windows
Relying on end-of-life software is more common than you’d think, and it can even happen under mission-critical scenarios. But end-of-life operating systems present opportunities for cybercriminals. An OS that’s no longer supported will have known vulnerabilities, and because support has ended… good luck finding a patch.
In turn, threat actors rely on known vulnerabilities to attack a business. Companies that rely on an end-of-life operating system are at risk of malware attacks that lead to service disruption, data loss – or worse.
That’s exactly what happened in May 2017. A massive cyberattack occurred where the WannaCry exploit was used to target hundreds of thousands of companies that were still using Windows XP – an operating system that reached end of life three years earlier in 2014.
Companies that still used Windows XP did not get Microsoft’s security bulletins and never installed the patch that fixed a months-old Windows vulnerability called EternalBlue. (The vulnerability was so dangerous that Microsoft released an emergency patch for Windows XP, even though Windows XP had reached end of life by that point).
This was just one example of a vulnerability in an end-of-life operating system that was exploited successfully.
So, What Are the Risks of an End-of-Life OS?
There are “valid” reasons for using an end-of-life OS, and we’ll talk about these in a later section. But, even where companies have a good reason for keeping an unsupported OS in place, the risks are significant – and almost always outweigh the benefits or any other rationale of using an EOL operating system.
Compliance and Legal Risks
With cybersecurity being such a daunting problem, numerous legal and compliance regimes help ensure that companies meet minimum data security standards to keep customers and clients safe.
It is common for these requirements to include a statement about official vendor support for software, and a statement that deems the reliance on end-of-life software as non-compliant. Non-compliance can lead to stiff financial penalties.
Companies that deploy an EOL operating system risk everything from fines to an outright ban on operating in their industry. Where it can be proven that an attack succeeded because of negligence, through the use of end-of-life software without vendor support, for example, companies may also be at the sharp end of legal proceedings because those impacted by the breach can seek redress.
Outdated and Incompatible Solutions
We said at the get-go that technology moves quickly. Companies that harness the latest tech benefit in many ways. For example, offering better products and features to their customers and a better experience for employees.
EOL software is, by definition, outdated software that’s likely missing a range of the latest features and benefits. Aside from leaving technology solutions in the slow lane, outdated software produces a further problem: a lack of compatibility. By relying on an end-of-life OS, companies risk running into compatibility problems, which will have a growing impact as time moves on.
Problems with Reliability
One of the impacts of incompatible software is an issue with reliability. At some point in time, the technology around the end-of-life product will be upgraded. That makes the end-of-life OS out of step with the rest of the solution.
This will lead to reliability problems as vendors will code with a certain functional expectation in mind, only for EOL software to lack the required functionality. In other words, a simple vendor update of a software component can break a solution due to an EOL operating system.
It is also worth noting that end-of-life software, including an end-of-life operating system, can represent a false economy. Yes, companies can save money by delaying an upgrade, but the maintenance burden for EOL software will grow with time as customized solutions need to be found to fix problems where vendor support no longer kicks in.
Similarly, EOL operating systems can lead to reliability problems that drive up costs Worse, as suggested above, outdated software can lead to compliance and legal problems that may lead to incredibly expensive fines.
Last, we address the biggest issue with relying on end-of-life software: the significant security risks implied by using software that is no longer supported. By definition, end-of-life operating systems will not get security fixes and updates from the original manufacturer, which would protect users against known vulnerabilities.
Instead, these security risks will be known to the public, including hackers, but there won’t be a vendor-supplied patch that can protect users against the risk when hackers decide to exploit it. A single critical bug that is not patched due to a lack of official support can lead to an expensive cybersecurity breach.
Why Companies End Up Relying on End-Of-Life Software
The problems that can emerge when companies rely on an unsupported operating system are clearly significant, but EOL software remains common in enterprise environments. It is understandable, to some degree, as there are rational reasons for relying on unsupported software.
It can happen that specific features, capabilities, or characteristics of an EOL operating system are dropped as a vendor progresses through updates. Sometimes companies depend on these features for their solutions, and the fact that the newer OS does not have these features may mean that solutions break, or that expensive remedial effort is required to sustain functionality.
When this happens, companies can be stuck in a difficult position – unable to migrate to a supported OS because they are unable to design a workaround that ensures ongoing functionality under the new operating system.
Resources Are Limited
Technology solutions are, more often than not, a matter of trying to get as much done with as little as possible. The result is that companies will try and shift funds around to meet competing priorities. Often, updating software is seen as a lower priority compared to desired new features or indeed day-to-day operating costs.
The fact of the matter is, in the competition for resources, there may simply be more important priorities than upgrading a perfectly functional operating system, even if it has reached end of life. It also comes down to time: does a company have the necessary staff to be able to perform upgrades in a confident manner?
Closely tied to resource limitation is the potential problems surrounding executing a migration. Particularly in the case where deployments are very large in scale, migration becomes so complex and so challenging that it can seem as if there is no realistic route to upgrading an OS – and that simply keeping in place the existing OS is the most sensible option.
This can also happen where migration involves complex, interacting systems that stretch across departments and across independent organizations. In fact, in rare instances, migration risks can outweigh the security risks associated with an unsupported OS.
Lack of Accountability
Finally, for some companies, accountability is a challenge. In other words, there is no party ultimately responsible for managing the end-of-life status of software. This can be due to a leadership deficit or because of poor organizational structure.
It may also be a practical matter. For example, it can happen that no single party has authority over technology solutions. This happens particularly where technology capabilities are shared. Under these circumstances, companies can find that there is no one willing to take on the risk or responsibility of migration, and – as a result – the migration is never performed.
Centos 6: An Example of Retaining An EOL Operating System
Late in 2020, Red Hat announced that it will no longer produce the fork of Red Hat Enterprise Linux, CentOS, as a stable release. Red Hat essentially accelerated the end of life of the entire CentOS product as a stable release. In other words, companies who rely on CentOS 6 had no realistic upgrade path.
The only option for these companies was to switch to another OS, or to pay for Red Hat Enterprise Linux. This situation around CentOS 6 is typical of the rationale some companies may use to continue using an operating system that is not supported.
It’s not an unreasonable way of thinking about end-of-life operating systems, but the fact that the upgrade path from CentOS 6 is challenging should not outweigh the fact that relying on CentOS 6 creates large security risks.
Endless Opportunities for Exploits
As much as there are valid reasons for considering the use of an EOL operating system, the problem remains that new and novel security breaches keep coming hard and fast – and unpatched end-of-life software just leaves the door open.
Take the emerging threat of crypto miners. At a rapid pace, hackers have started to deploy resource-hungry crypto mining software through illicit methods – taking advantage of weaknesses in Windows and Linux to install software that builds profits for the hacker at the expense of the company that owns and operates the computing resources.
It’s a particularly insidious threat, and illustrates how relying on outdated, unsupported software can have unexpected consequences. In this case, an unpatched EOL operating system can mean that a company’s resources are diverted to crypto mining, leading to higher expenses and problems with reliability and availability.
Consider Extended Support Instead
There is a workaround for some end-of-life operating systems. First, some vendors offer extended support – the opportunity to pay, sometimes rather large sums, to enjoy ongoing support for an operating system that no longer enjoys general support. It’s called extended lifecycle support (ELS). Where vendors offer it, any customers that take advantage of extended support will remain compliant and secure – but at a price.
In a few cases, third parties offer extended support for an operating system. For example, here at TuxCare, we offer extended lifecycle support for a range of Linux-based server operating systems, including end-of-life versions of CentOS, Oracle Linux, and Ubuntu.
Extended Lifecycle Support from TuxCare includes comprehensive vulnerability patching to ensure that any new vulnerabilities that are discovered in a supported operating system, such as CentOS 6, are immediately covered by a patch from TuxCare.
Plus, TuxCare support is available at a far lower price than equivalent vendor support. For example, our CentOS 6 ELS is only a fraction of the price of the Red Hat equivalent.
Either way, companies that purchase extended support buy themselves plenty of time to upgrade or migrate the OS that they depend on. ELS means companies can obtain the resources to undergo migration, plan migration carefully, or simply find alternative solutions. Most importantly, ELS covers companies for security risks while the end-of-life OS is in place.