If you would like to read the other parts in this article series please go to:
- The Risk of Running Obsolete Software (Part 2)
- The Risk of Running Obsolete Software (Part 3)
- The Risk of Running Obsolete Software (Part 4)
Once upon a time, it was considered smart and frugal to hang onto the things you owned for as long as possible, to keep using them until they were all used up, to squeeze every last drop of utility out of them. We drove our cars for ten years and over 100,000 miles. We wore our shoes until there were holes in the soles. We sewed up rips in our clothes and reupholstered our sofas and repaired TVs and toasters that quit working.
That was then and this is now. We live today in a throwaway society, where most people trade in their vehicles every two years (or even one), upgrade their phones as soon as they’re eligible whether or not the old one still works fine, give clothes to charity that we’ve only worn once or twice, in order to replace them with the latest fashions. You can’t find a cobbler to fix the broken heel on your favorite boot even if you wanted to. For most things, once the warranty expires – and they’re getting shorter and shorter – it’s cheaper (and a whole lot easier) to just buy a new one than to have the old one mended.
And yet, many individuals and companies – perhaps in subconscious resistance to the trend or perhaps in a throwback to simpler times, or maybe for other reasons that we’ll discuss later in this article series – continue to run computers and software that have reached the ends of their lifecycles. According to NetMarketShare.com’s statistics, 10.93% of users are still running Windows XP on the desktop as of the end of December 2015.
Think that’s just a bunch of clueless home users? Well, according to Netcraft’s report, as of last August there were still hundreds of thousands of servers still running Windows Server 2003, even though it was out of support and no longer receiving security updates.
Whereas driving your 1985 pickup truck long after the odometer has turned over (twice) poses no problem for anyone (other than, maybe, you – if it breaks down on your next road trip), continuing to run obsolete computer operating systems and other software can affect others on your network or even outside your local network.
It’s not getting better; it’s getting older
Some things get better with age: wine and whiskey, cigars, certain cheeses, cast iron skillets, wise investments. Computers and computer programs are not one of those things. Software vendors create operating systems, applications and utilities that are optimized for the computer or device hardware that’s available at the time. However, technology advances at a rapid rate, and what was state-of-the-art yesterday can’t begin to keep up with today’s equipment.
In order to achieve these performance and feature improvements, though, the hardware evolves. New hardware innovations require changes to the software to take advantage of them (or in some cases to even work on them at all). Software makers are masters of adaptability (if they’re not, they don’t survive) so they create new versions of their programs to run on the new machines. But where does that leave their customers who are still using the old versions on the old machines?
You should be able to just do that, right? Unless or until the hardware gets damaged or wears out, and as long as the software does what you need it to do, why should you shell out money for fancy features you don’t need? After all, if you have an old fashioned cooktop with those ugly coil burners, you can keep on using it to boil the water for your pasta and sauté your chicken breast for as long as you want. Nobody’s going to be pressuring you to upgrade to a modern smooth-top induction element range (other than the appliance salesman if you venture into that section of the department store).
Why, then, is everyone so concerned about pushing you into the newest version of Windows or the latest iteration of your web browser of choice? In a word, the difference is: security.
Look at it this way: What if that old stove you’re using wasn’t just outdated and a little less convenient; what if it was a safety hazard? What if it was an ancient gas model with a gas line that’s corroded and leaking and its pilot light has been removed or stopped functioning, with no sensor or automatic shutoff if there’s a gas leak? In that case, others would be justified in urging you to upgrade, because there is a safety issue that not only presents a danger to you, but could even affect your neighbors if you were gone and so much gas built up in your house that it exploded.
I think we would all agree that when it comes to safety issues that can spill over to others, we have a responsibility to help protect the “herd.” Many people don’t realize that their determination to hang onto an old OS or application can actually put others at risk, but it can.
The risky business of running old software
What are the security risks of running less than up-to-date software? Think about it. One of the reasons that people are so adamant about not upgrading is because they’re so familiar with how their old OS and applications work. They know their ways around it and have a lot of experience with it. Unfortunately, the same thing is true of the hackers and attackers. They’ve had plenty of time to get well acquainted with software that’s been around for years and years, to poke at it and find its vulnerabilities. To create exploits to take advantage of those security holes. Even to package up those exploits into kits that can be distributed to other people with a malicious bent but less technical skill.
Now, that doesn’t mean that newer software doesn’t have vulnerabilities, too. It always does. There will be carryovers from older versions that weren’t discovered and sometimes in making improvements to features and performance and reliability, developers will even inadvertently introduce new vulnerabilities that weren’t present in the old versions.
However, in general, software vendors have approached each new version with the goal of not only adding functionality but also increasing security. Each version of Windows, for example, includes more security mechanisms than the one before and/or enhances the existing security features. Look at the differences between Windows 9x, in which security was barely an afterthought with the focus on things like ActiveDesktop, and Windows XP, when security and privacy started to gain importance in the development process of the OS and web browser with features like cookie management and especially the Internet Connection Firewall. In 2002, the Trustworthy Computing Initiative was launched and Microsoft started to really get serious about security – so much so that their next operating system, Vista, was universally hated for its “in your face” security mechanism, User Account Control (UAC). However, it also added other very useful security features such as BitLocker drive encryption (in some editions), IE protected mode, services hardening and a more advanced firewall.
Windows 7, 8/8.1 and 10 have each introduced additional security technologies and/or made improvements to old ones, culminating (for the moment) in Windows Hello’s facial recognition and iris scanning biometrics to supplement the fingerprint recognition that was available in previous versions, application-vetting by Device Guard to prevent zero day attacks, support for Azure Rights Management, and more frequent security updating. The Internet Explorer web browser is likewise given new and better security with each subsequent iteration.
But it’s not just the lack of these new features that make the old operating systems and browsers so risky, and it’s not just that their vulnerabilities have been sitting there, waiting to be discovered, for a longer time. The big problem is that once the software reaches the end of the support lifecycle, even if those vulnerabilities do become known, they don’t get fixed. Now attackers know about the holes and have free reign to use them to infect your computer with malware.
That means you put your system at risk but it also means you put everyone else on your network at risk, too, because some of those vulnerabilities may be information leakage issues and the information that’s leaked may contain network-related data that a hacker can use to infiltrate the entire network or to create a denial of service attack that will affect the whole network and keep all the computers in your organization from being able to communicate (and thus prevent all the users from being able to get their work done).
But wait, there’s more: what if the attacker is able to exploit one of those unpatched (and unpatchable) vulnerabilities in your old system to make it part of a botnet – a group of computers that have been infested with malware and are centrally, remotely controlled by a “bot master”? Then the entire squadron of “zombie” computers can be used to remotely attack some other network across the Internet. Your computer could be participating in a distributed denial of service attack (DDoS) or helping to send spam, without your knowledge.
Summary
Never mind, then, that you’re missing out on the latest functionalities that new software has to offer. With all these security consequences of sticking with software long past its useful life, why do people and companies still do it? That’s what we’ll take up in Part 2, and then we’ll talk about the software support lifecycle and how it works.
If you would like to read the other parts in this article series please go to:
Hi ,
I have an issue to convince my IT to replace the obsolete windows 2003 server which is no more in support. However they are of the opinion that internal and external network are protected with the firewall. So they are questioning the risk impact. How do i convince them ? Any salient point from experts?