My Software is End-of-support, Who Cares?
With the ultimate demise of Windows XP comes questions of what it really means that software is "unsupported?" I get this question a lot when a client reads through a penetration test report for their environment and wants to know why they can't use an out-of-date version of XYZ webserver software or Windows XP (which, by the way, was supported for just shy of twelve years).
While not as obvious as default credentials (something else I see more often than I should during penetration tests), end-of-support software means that the software vendor will no longer produce any security patches for that version of software. Think about owning a Ford Model T in 2014 and then going to the dealer and demanding a new fender or engine crank. Its just not economically feasible for them to continue to manufacture and stock parts for a car that started production over 100 years ago. While it's true that you may be able to fashion a new fender yourself or commission a sheet metal expert for the task, closed source software does not work this way.
It could be argued that only the developers (or someone that has spent a significant amount of time getting familiar with the source code) could produce fixes to future security vulnerabilities. Closed source software has a relatively small team with access to the code needed to be either modified or augmented to close security holes. Open-source software does not suffer from this same issue, however, end-of-support could possibly begin at launch day as formal support is not generally provided on such projects.
As with the Model T, perpetual support is not feasible for a closed source software application or operating system.
So who cares if my software is out of date?
Since inception, Windows XP has had 453 high and critical vulnerabilities.1. The trend has slowed in recent years as low-hanging fruit became less common. This does not predict the future, however, and any vulnerabilities that will be found going forward will absolutely not be patched or remediated. This would leave any system on your network at risk for compromise and a likely target for any attacker. Even if your XP systems do not handle or access sensitive information, that is exactly where I would "setup shop" with persistence to access the network anytime I wished. It extends an attacker's time and resources, the two things you must exhaust to thwart any attack.
The bottom line.
We knew this day would come. It comes everyday for may versions of software. XP end-of-support is somewhat more painful being the operating system for many workstations worldwide. There are alternatives available, Microsoft-related and otherwise.
In order to ensure a secure computing environment one major win is to keep all of your software up to date. This is literally impossible with end-of-support closed source software. Please adjust your strategic plan accordingly.
