tech refresh vulnerability management

Tech Refresh as Part of an Effective Vulnerability Management Program: Part One

The topic I’m going to focus on today is updating outdated operating systems and other aspects of tech refresh as part of vulnerability management, which is one of the most critical tasks for a cyber security professional. This task comes in at #3 on the Center for Internet Security’s (CIS) Top 20 control listing. While vulnerability management is listed as a fundamental control, the processes required to put an effective program into place are anything but basic.

One aspect of vulnerability management that’s often overlooked that I’ve frequently seen in recent risk and vulnerability assessments is unsupported operating systems.

The saying “if it isn’t broke, don’t fix it” doesn’t apply to outdated operating systems. While these systems may run fine and support your operations without a hiccup, running outdated operating systems, or releases the vendor doesn’t support anymore, is introducing risk into your enterprise.

The Critical Problem: Patching

The critical issue here is that security testing and patches aren’t being conducted or developed by the vendor, so any vulnerability that is found after the operating system passes its end-of-life date will stay unpatched. Additionally, other hardware and software developers often won’t test their products for compatibility or driver support with the discontinued operating systems. While not an issue initially, the lack of support may start to cause issues with usability as the system ages.

Outdated Hardware and Other Issues

Another issue with outdated operating systems is the hardware they’re running on. In almost every case I’ve come across, an outdated operating system is running on the original hardware. I’ve even seen Windows Server NT 4.0 (yes, in 2018). For older servers, this can lead to operational issues with reliability as older systems with limited processor and memory capabilities struggle to support the load or connections that modern systems can. While this is not a specific cyber security concern, maintaining operations is a requirement for any company and having inadequate systems is a risk that businesses shouldn’t accept.

The major software vendors understand they must support older systems, but they can’t support them indefinitely. Most major operating systems developers have a consistent development and support cycle that allows predictability for their customers.

One other issue to consider with end-of-life dates for operating systems is that vendors will often offer reduced-price or free systems to budget-constrained organizations. While some of these offers may be genuine, many times the systems are six to eighteen months from their end of life date. In order to keep using the platforms, the organization must purchase a costly upgrade or undergo a complete architecture overhaul in order to remedy the problem. Any time you’re making a large architecture change, make sure to look at the complete picture. As part of any architecture review or change management board (a critical part of an effective governance program), this should be included as one of the criteria when evaluating any system.

Your Guide to Vendor Operating Systems and End-of-Life Support Dates

I’ve consolidated a listing of major software companies and added details about their support cycle, a link to their website or other supporting websites that provide relevant information, as well as tables that show operating systems and their end-of-support dates. The end-of-support date listed corresponds to when the developer no longer issues security patches for their product.

The vendor operating system support data provided below is primarily taken from the vendor sites, FAQs, or other provider information where possible to provide authoritative information on support. Some vendors don’t provide a set date for end-of-life. In those cases, the security patch releases were analyzed, as well as other press releases where possible to deduce what the support looks like. While this information will become outdated relatively quickly, the links to the vendor information will remain a valuable resource.

To see what the trends are for the industry, the StatCounter GlobalStats project collects information on visitors to over two million websites monthly. Specifically, they gather and aggregate information about the systems visiting. I think they provide an interesting insight into the systems used by people visiting websites.

1. Desktops and Laptop Operating Systems

The primary productivity systems that users touch are their desktop and laptop systems. Microsoft dominates this space, with around 60 percent market share in the US and Apple’s macOS comes in at just under 20%, according the StatCounter GlobalStats. We’ve also included Linux distributions in this study but are only including the most popular variants.

For the purposes of this post I have put laptops in with the desktop systems. While they could be included in the mobile category, laptops are typically refreshed on a similar cycle to desktops, so this is where they logically fit. It should be noted that laptops are notorious for not being updated regularly, especially for laptops that are issued to employees who rarely use them or do not regularly connect them to the Internet or the corporate network to get the necessary patches. Care should be taken to develop an enforceable policy to realistic procedures to minimize risk.

2. Windows Life Cycle Support

As the dominant operating system, making sure your Microsoft systems are refreshed is critical. The Microsoft operating system development cycle releases operating system updates every 3-4 years. Microsoft’s policy is to support operating systems for 10 years. After that, security patches are no longer provided. The primary Windows version seen in the US is Windows 10, with Windows 7 coming in at just under 30%. It should be noted that Windows XP still accounts for a little over 1% of the total windows operating systems, despite reaching end-of-life in 2013.

Windows Life Cycle Fact Sheet

Operating System Release Date End-of Life Date
Windows ME September, 2000 July 11, 2006
Windows XP October 2001 April 8, 2014*
Windows Vista November 2006 April 13, 2010
Windows 7 October 2009 January 14, 2020
Windows 8 / 8.1 October 2012 January 10, 2023
Windows 10 July 2015 At least until October 2026

*Microsoft provided an exception to this when they released a patch specifically for EternalBlue on May 13, 2017 that covered the unsupported Windows XP and Windows Server 2003.

3. macOS Life Cycle Support Updates

Apple is different from other operating system developers because it doesn’t publish a software life cycle support timeline. The new release cycle for the macOS appears to be set annually with the announcement of the OS at the Apple Worldwide Developers Conference (WWDC) and the software release in September. If this pattern holds, it looks like Apple uses a three-year support cycle for the macOS, with the last security update being released at the 34-month point. MacOS makes up around 20 percent of desktop operating systems with 22 percent of those systems observed being past end of life as of November 2018, according to GlobalStats.

See the table below for macOS versions and release dates and the last security update released by Apple for the respective OS version.

Operating System Release Date Last Security Update Date
Version 10.5: OS X Leopard October 26, 2007 May 14, 2012
Version 10.6: OS X Snow Leopard August 28, 2009 September 12, 2013
Version 10.7: OS X Lion July 20, 2011 September 17, 2014
Version 10.8: OS X Mountain Lion July 25, 2012 August 13, 2015
Version 10.9: OS X Mavericks October 22, 2013 July 18, 2016
Version 10.10:  OS X Yosemite October 16, 2014 July 19, 2017
Version 10.11: OS X El Capitan September 30, 2015 July 9, 2018
Version 10.12: macOS Sierra September 20, 2016 January 22, 2019*
Version 10.13: macOS High Sierra September 25, 2017 January 22, 2019*
Version 10.14: macOS Mohave September 24, 2018 January 22, 2019*

*Most recently published security update

Apple security updates are available here for a consolidated view of available patches and the most current software available for each of its supported platforms. Apple also publishes a “Vintage and Obsolete Products” listing here, specific to the hardware platforms, and keeps the site updated with current information.

4. ChromeOS Lifecycle Support

ChromeOS is like the Android operating system because it’s based on a Linux kernel. However, the development teams and development cycle are independent. ChromeBooks are sold via multiple hardware companies, and Google provides automated updates and support for the operating system automatically until it reaches Auto Update Expiration (AUE). Google’s policy is to support ChromeOS for at least five years, with expected support being six and a half years from the initial hardware launch. The linked page also includes the current supported devices by vendor and product with the AUE date listed. This list is long (30 vendors) and will not be reproduced here. It’s important to note that when you buy or receive ChromeBooks, especially from a reseller, that you as the security professional determine what the serviceable life of these devices are: you don’t want to purchase a one-year solution that will require an additional investment of time and money later. Then you won’t have to buy a one-year solution that will require more investment later. This especially important for the public sector, specifically for school systems.

The ChromeOS release notes provide information on changes to the features and policies for the various supported ChromeOS releases.

5. Linux Desktops

Linux distributions aren’t a very common desktop operating system, making up just over one percent, according to GlobalStats in November 2018. The distributions discussed here were based on surveys and popularity for desktop versions. The two we are going to look at here are Ubuntu and Mint.

6. Ubuntu Life Cycle Support

Ubuntu is the most popular distribution of Linux, providing an operating system for desktops and servers. Ubuntu numbers are released based on the year and month of delivery, so 18.10 is the version that was released in October 2018, which is their most recent release. Ubuntu has a full version and interim release cycle, designating the full version release as its “Long Term Support (LTS)” version. Their LTS version is guaranteed to have at least five years of support, including maintenance and security updates. Minor releases have nine months of guaranteed support.

Operating System Support End Date
Ubuntu 10.04 LTS April 2015
Ubuntu 12.04 LTS April 2020 (support extended)
Ubuntu 14.04 LTS April 2019
Ubuntu 16.04 LTS April 2021
Ubuntu 17.10 August 2018
Ubuntu 18.04 LTS April 2023
Ubuntu 18.10 August 2019

7. Mint Life Cycle Support

Mint is based on Ubuntu and Debian and designed to be more user friendly for installation. Like Ubuntu, Mint provide LTS versions supported for a minimum of five years.

This site provides a link to all the current versions and their support dates, also listed below.

Operating System Support End Date
Mint 3 August 2023 (estimated)
Mint 17.x April 2019
Mint 18.x April 2021
Mint 19.x April 2023

Summary

Remember that security testing and patches aren’t being conducted or developed by the vendor, so any vulnerability that is found after the operating system passes its end-of-life date will stay unpatched. Also, don’t forget that old hardware can cause issues. And when making a large change to your system architecture, remember to look at the whole picture.

Does your organization need a vulnerability assessment? Check out our services page here or contact us here.

Part Two of this blog post will cover Android and iOS operating systems. Coming soon!