[General] Software End of Life


Tuesday, October 15th, 2013 - General

Some of you may have recently received a notice from us regarding the end of life for PHP 5.2. If your account is using PHP 5.2, then you would have received this notice (most of our user accounts are running PHP 5.3, so this notice only went out to a small subset of our client base. Don’t be alarmed if you didn’t get a notice). We have received a lot of questions from users regarding this. Most of them center around users who want to keep using their outdated scripts that are not compatible with PHP 5.3 and higher. That is a bad idea, and I hope to answer some of the questions as to why in this post.

What is End of Life?

Over time software reaches a point to where it cannot be patched any more. Commonly used hardware changes, end-users expectations change and you just can’t “fix” software to account for all of that. When that happens, software has to be rewritten. If you’ve ever wondered why Microsoft releases a new version of Windows every few years, this is precisely why. Windows XP was a great product. But they just can’t keep adding to and patching Windows XP for all eternity. Eventually the developers at Microsoft take what was good about Windows XP, optimize that, add new features and release an updated operating system with better and more efficient code that works better with updated hardware and with end-user expectations.

All of this leads to software going end of life. Microsoft and other companies cannot support software forever. As far as they are concerned, they have released an updated and better version of their software, end-users should upgrade or switch to that product. Support for these old pieces of software eventually dies off. That software goes “end-of-life”.

Why is End of Life Important?

End of life means that the software no longer has any support. It’s no longer being developed. It’s not longer being cared for or cared about. Deficiencies found in the code of end-of-life software are met with shrugs and “who cares” responses from the developers. As far as developers are concerned, they have moved on to another project an updated code and only worry about maintaining that.

Take PHP 5.2 for example. It’s possible that a new root level security hole could be uncovered in PHP 5.2. This security hole could be extremely nasty, making it very easy for any would be malicious user to instantly gain root level or escalated privileges on the server through this security hole. If this were to happen, do you know what the developers for PHP (http://www.php.net) would do? Nothing. They would shrug their shoulders and say “well, you shouldn’t be using PHP 5.2 anyway.” This is why using end-of-life software, especially in a web environment where the applications and content is easily accessible to any user, is a dangerous idea. Monitoring for security holes in end-of-life software is very low, because it is end of life and not suppose to be used. So an exploit may be found and may not reach the mainstream community until months have passed.

Users that use Windows XP, you should be aware that your end-of-life is quickly approaching. Support for Windows XP ends on April 8, 2014. After that date there will be no more patches and no more support for Windows XP. If a security hole is found in Windows XP after April 8, 2014, it will be met with a shrug and a whimper from the developers at Microsoft.

Now, if you have a computer that is not connected to the Internet and you continue to run Windows XP, this is less of an issue. The computer is not easily accessible to just any user. Only certain people would have physical access to the computer and by doing that you can have a basic audit of who is using the system. You can’t have that audit in a web application environment. If it’s on the Internet, then anyone with an Internet connection conceivably has access to it. End-of-life means more when you cannot audit and restrict who has access to the system.

What if I don’t want to upgrade?

There’s really no tactful way to answer this question. You have to upgrade or stop using that product or run the risk of being compromised. Those are your only 3 options once a product reaches it’s end of life. If you continue to run Windows XP after April 8, 2014 and your computer gets infected via a security hole, you cannot go to Microsoft and complain to them about not fixing that security hole. Or at least you cannot be surprised when they don’t offer a solution (other than upgrading to a support version of Windows).

I understand that some software may not offer free upgrade paths. Microsoft Windows is like this. Just because you bought Windows XP doesn’t mean that you get a free copy of Windows 7. Whether that is right or wrong or the ethics involved, that’s not for me to say. But that is an understanding (or should be an understanding) that you have when you purchase Windows XP. You should be aware that you will eventually have to pay for a Windows upgrade at some point when Windows XP goes officially end-of-life.

vBulletin may be web application that many users use that may also be affected by this (I’m not really sure what their upgrade procedure is, I know it is a commercially licensed piece of software, but I do not know if you have to purchase each subsequent major vBulletin release). But this is something you need to find out before you purchase any software. What is the life cycle of that software? How long will that software be good for? Will I have to pay to upgrade to the next version when the life cycle of this particular product ends?

The good thing about free software is that it’s free to begin with and free for the upgrades. For example, Ubuntu – a popular end-user Linux distribution, is a free operating system. Ubuntu 10.04 was released in April 2010 and went end-of-life in May 2013. Ubuntu 10.04 is no longer supported by the Ubuntu developers. But when Ubuntu 10.04 was released in April 2010 it was free. When Ubuntu 12.04 was released in April 2012, it was also free. Users of Ubuntu 10.04 had to upgrade to Ubuntu 12.04 prior to Ubuntu 10.04 going end of life.

I can understand people’s frustration at having to rebuy software for upgrades. I’m not sure how a lot of commercially available web applications approach this (like vBulletin). I encourage you to discuss this with the developers of those applications if you believe it is unfair for them to charge you for an upgrade. The fairness of the that issue is really beyond the scope that I am after in this post.

I’m also not going to argue that some of the upgrades, upgrading from one major version to another, can be difficult. That is very, very true. But again, that’s an issue that needs to be discussed between you and the developer of the software. People tend to not look at this issue or the upgrade cost issue in a web application, they seem to think that they can install it on their website and it will be good forever. That’s just not the case. That is a myth. Because web applications are freely accessible to any user with an Internet connection, keeping them up to date and secure is even more important that any isolated system where an end-user accessibility audit can be done.

So all of that is the importance of why end-of-life matters. Because some of our servers continue to run PHP 5.2 and because PHP 5.2 is end-of-life, that can be a problem. If you are using a script that still requires PHP 5.2, then I’m sorry to say, but you’re really using software that is also end of life and that is leaving you vulnerable to being exploited and hacked. The security of our servers is important to us. Protecting your data and the data of every user on the server is important to us. That is why we are stressing the importance of this end-of-life notice.

Steven