The Hazards of End-of-Life Software
On July 14, 2020, Microsoft announced a critical vulnerability in the Windows DNS Server with a CVSS base score of 10.0, the highest possible score. Microsoft publicly released updates for Windows Server 2012, 2012 R2, 2016, and 2019 but not for Windows Server 2008 or 2008 R2. Why not? Windows Server 2008 and 2008 R2 reached end-of-life on January 14, 2020.
When a software package becomes end-of-life, it no longer receives any active support from the vendor. The vendor will not release any further reliability or security updates for the software. The software package is effectively orphaned as is, potential bugs and all.
End-of-life software represents a major technical debt. For you to support end-of-life software, you have to invest time and effort. The software vendor will no longer provide any form of active assistance so you will have to do this yourself. End-of-life software may not be compatible with newer hardware or software components, requiring you to keep it in a specific environment which may require using other end-of-life software components or end-of-life hardware components.
Even worse, end-of-life software represents a major security risk to your organization. Unless you are able to do a full audit of the software, you will be unable to identify any security vulnerabilities within the software and will have to rely on (or be at the mercy of) third-parties to find these vulnerabilities, who may not announce them before exploiting them. Even if one of these parties announces a vulnerability and a fix, unless you have access to the software's source code and build system, you will be unable to correct this yourself.
For these reasons, most security compliance standards forbid the use of end-of-life software. Does your organization accept credit cards even if you outsource this to another vendor? If so, as per the Payment Card Industry (PCI) Data Security Standard, you cannot use end-of-life software on any component in scope. Are you a government contractor or subcontractor? If so, you may be prohibited by law or by directive from using end-of-life software.
What can you do to mitigate the risks from end-of-life software? The best way is to simply not use end-of-life software at all: keep an up-to-date software inventory and upgrade or replace software before its end-of-life date. This requires your technical team to be agile since you may have to upgrade on a regular basis. (For example, PHP versions are supported for three years before end-of-life. Ubuntu Linux's interim releases are only supported for nine months.) You may have to decouple your applications or processes from certain pieces of software to make upgrades or replacement easier. While this seems arduous, being able to upgrade your software regularly gives you the visibility, agility, and flexibility that will help you succeed in today's fast-moving Digital First world.
If you're not able to upgrade your software before it goes end-of-life, see if the vendor will allow you to purchase support beyond the public end-of-life date. This will ensure you receive security updates while you work to phase out the software. For example, Microsoft has an Extended Security Update offering for Windows Server 2008 and 2008 R2 which will provide security updates for up to an additional three years (and, incidentally, includes an update for the vulnerability mentioned at the start of this article).
If you cannot upgrade the software and cannot purchase additional support, you can mitigate some of the risk (although none of the debt) by restricting access to the software. How you can do this depends on your environment. This will only work if it's viable to restrict access. If the software is publicly available (for example, the software in question is an end-of-life version of a web application, e.g. Drupal 6), you will not be able to mitigate risk in this fashion. The simplest, safest approach is to upgrade the software.
In conclusion, using software beyond its end-of-life date is both a significant security risk and a source of technical debt for your organization. It may lead to a security compromise, it may make technical changes harder, and it may affect your compliance with policies, laws, or regulations. Phasing out end-of-life software, either via upgrading or replacing it, removes an obstacle from making technical changes and protects your organization.