Why Patches Fail. Episode 3:  End of Life-ed (EOL)Software

It’s not exactly a man-bites-dog story, but EOL software on your network is problematic, and some new data from the cyber insurance community has wrapped numbers around this largely accepted notion:  organizations deploying End of Life software were 3.7 times more likely to suffer a claim in 2022. The Coalition report was particularly critical of EOL software on a network, highlighting not only the direct impact EOL software has on the security posture and attack surface of an organization, but also asserting that the mere presence of EOL software strongly suggests it’s representative of an organization with little regard for cybersecurity hygiene, and therefore an attractive target for attacks beyond the EOL software itself.

By way of quick review, EOL software is no longer supported (at least conventionally – more on that later) by the company that builds the software, so it no longer releases new versions, or more importantly security updates, for it. As new vulnerabilities are discovered in the EOL’d software, the vendor no longer develops and releases patches for them, leaving the software – and the organization deploying it – ever more exposed to exploitation by accumulating unpatched vulnerabilities.

In addition to the obvious practical risk exposure, EOL software also poses a significant challenge in terms of regulatory compliance and industry standards. Many industries and regulatory bodies require software to be regularly updated and maintained to meet security and compliance requirements. Using EOL software can lead to non-compliance and potential legal consequences, highlighting the importance of timely software upgrades and patching.

Additionally, an often overlooked element of EOL software is that it can be challenging to fully understand the organization’s risk. If an organization “applies all available patches,” a seemingly responsible approach to vulnerability remediation, they could be victims of a false sense of security. Since vendors are no longer building and distributing patches for EOLed software, irrespective of the discovery of vulnerabilities in that software, no patches will be available. Thus, if an organization assumes that “applying all patches”  is synonymous with “patching all vulnerabilities,” they would be left exposed to all vulnerabilities discovered after the EOL date of the software. For instance, a user on Windows 10 Version 21H2 Home Pro, might allow windows to auto-update all patches. In this case, however, a sense of confidence that they’re free of vulnerabilities would be misplaced, as Microsoft officially stopped supporting Windows 10 Version 21H2 Home Pro on June 13, 2023. That host/operating system is now vulnerable to all vulnerabilities discovered between June 13 2023 and now, and there are just no patches available for any of those post-June 13th vulnerabilities.

Another nuance to the challenge of EOL software is that not all EOL software is unsupported. Some manufacturers will extend their window of security updates to select customers willing to pay a premium for those security patches. For example, Microsoft offers several licensing levels:   Home, Pro, Enterprise, LTSC, and ESU.  The last two, Long Term Servicing Channel and Extended Support Updates provide users security updates years beyond the official EOL date of the software. So, it’s possible that there may be security patches available for an organization with deployed EOL software, but they wouldn’t be able to leverage those updates unless their licensing level gives them access. Moreover, the NVD (National Vulnerabilities Database) can struggle with EOL software, as CPE data – what most scanners and patching software vendors use as source material in their products – is notorious for having inaccurate information.

Although much easier said than done, the remedy for EOL software risk is to upgrade to a supported version of the software, or replace it with an alternative if no upgrade option exists.  In the interim, however, it’s important that your organization’s scanning and patching software is sophisticated enough to deliver a level of detail to users, so that well-informed decisions can be made, and the true risk posture is understood.