The Risk of Running Obsolete Software (Part 3)

by [Published on 30 March 2016 / Last Updated on 30 March 2016]

In this article we take a closer look at the software support lifecycle that is published by most major operating system and application vendors, and delve specifically into Microsoft’s support lifecycle policy and some of the particulars there of which you need to be aware.

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series, we looked at the statistics that indicate many individuals and companies are still running old versions of software that is less secure and in some cases so obsolete that it isn’t even getting security updates anymore. We also discussed some of the security consequences of using out-of-date operating systems and applications. In Part 2, we talked about why – despite all these security consequences – people and businesses are still clinging to the past and continuing to use software that’s way past its prime.

This time, in Part 3, we’ll look at the software support lifecycle concept and how it plays into the problem, and some details and “gotchas” regarding the Microsoft support lifecycle policy in particular. In Part 4, we will wrap it all up as we get into some specifics about the dangers inherent in particular out-of-date operating systems, applications and devices.

The software support lifecycle

Most major software companies publish what are known as software support lifecycle and end-of-life policies to inform customers and IT professionals who support their products about the time periods during which the software will receive support from the vendor. This generally includes the date at which the product will stop receiving periodic updates, including all-important security patches. The lifecycle may include multiple phases; during the main support phase updates and telephone support may be free, whereas these services are still available after the phase ends but incur charges after that date.

The establishment and publication of an official lifecycle makes it easier for those who use the product to plan and know when it’s time to start thinking about upgrading. Of course, this is especially important for companies that have dozens, hundreds or even thousands of computers that are running a particular version of an operating system or application.

Published support lifecycles aren’t always written in stone, however. Most vendors will include a clause somewhere in the lifecycle documentation that makes it clear that there can be exceptions to the policy if circumstances necessitate it. For example, if there were unpatchable security flaws discovered that made it a big risk for users to continue to run a specific version of software, the vendor could end all support for it ahead of the standard lifecycle date and provide a new version to replace it.

Alternatively, if a particular software version proves to be exceptionally popular and customers are resistant to upgrading, a software vendor could extend support beyond the published end-of-life date, as Microsoft did with Windows XP in response to customer backlash. More frequently, a vendor will extend support for some “special” (large volume or high profile) customers after ending support for the rest of us. Microsoft made special contract deals with the U.S. Navy and with the U.K. government and other public sector customers to keep providing support to Windows XP for their users after the support lifecycle ran out. Such special treatment comes with a price, though. The government agencies reportedly paid $9.1 million and £5.5 million, respectively.

Of course, the support lifecycle is ignored by many users. According to NetMarketShare, as of the end of January 2016 almost eleven and a half percent of desktop computers were still running XP, and that includes many individuals and small businesses who do not have special extended support contracts.

A plethora of policies

The problem with software support lifecycles is that there is no standardization from vendor to vendor, which can create a headache for IT admins who are managing the types of multi-OS networks that are most common today. There was a time when most IT departments were all Microsoft or all UNIX or all Apple, but those days are long gone. Now you’re expected to support not just desktop and laptop computers but tablets and smart phones and even wearable devices across a whole spectrum of platforms.

That means you need to become familiar with the support lifecycles of each different vendor, and in some cases the lifecycle varies greatly from product to product, as well.

Microsoft software support lifecycle

Because this is, after all, a site devoted to Windows networking, we can assume that most of the readers have at least some Microsoft products deployed so we’ll look in a little more detail at the company’s support lifecycle policies. Microsoft’s current policy is to provide a minimum of ten years of support for their consumer and business desktop operating systems. This is divided into five years of “mainstream” support (or two years following the release of a product’s successor, whichever is longer – which means that five year promise is a minimum) and another five years of “extended” support. Business, Developer and Desktop operating systems get a minimum of ten years of online support (self help).

Consumer software gets the five years of mainstream support but no extended support. This does not include desktop operating systems such as Windows, even the consumer version – those fall under the ten year minimum. It also doesn’t include Xbox games, which aren’t covered by the support lifecycle policy at all.

Some people might be a little confused as to exactly what is and isn’t included in each phase of the support lifecycle. The good news, and most relevant for the readers of Windowsecurity.com, is that security updates are included in both phases, through the entire ten year lifecycle of Microsoft products. Changes to the product design and features, on the other hand, are only available during the five-year mainstream support phase. Complimentary support is included with the licensing program for the first five years and there is no charge for it. Non-security support is included for all during the mainstream phase, but when the product goes into extended support after year five, it is available only to those businesses with Premier Support plans, not for consumer desktop OS products. Extended Hotfix Support can be purchased to get non-security updates after the end of the mainstream phase. You can also buy pay-per-incident support during the extended support period.

The current Microsoft Support Lifecycle policy became effective way back in 2002 and was revised in 2004. There are separate support lifecycle policies for Microsoft’s online services and the consumer hardware products that are made by Microsoft. Special support agreements such as the widely publicized ones provided to government agencies are called “custom support relationships” and are offered at Microsoft’s discretion.

Caveats to consider

Now here’s a little “gotcha” that many may not be aware of: While Microsoft generally provides the standard 5 year mainstream/5 year extended lifecycle for its software, there is a distinction in the policy between “major” and “minor” products. A “minor” product is one that is basically a revision of a major product. For example, Windows Server 2008 and 2012 and Windows 8 are classified as major products. Windows Server 2008 R2, 2012 R2 and Windows 8.1 would be considered minor releases of those major products. The catch is that a minor product is counted, for purposes of the support lifecycle, as the same as the major product. What this means in practical terms is that those minor products may not get the full ten years of support. When support for the major product ends, so does support for its minor product(s), even if they were released years later.

Another “gotcha” in regard to the support lifecycle policy is that in order to receive security updates and tech support for the promised periods, you’re required to update to the latest service pack within a specific timeframe. In general, Microsoft continues to support the product with the previous service pack installed for either one or two years after a new service pack is released. After that time, if you’re still running the previous service pack (or no service pack), you may no longer get security and non-security updates and other support for your software. As with “minor” products, the service packs are not considered new products with their own lifecycle and when the support period for the original product ends, so does support for all service packs, regardless of how recently they were released.

Summary

In this third part of our series on the risks of running obsolete software, we took a closer look at the software support lifecycle that is published by most major operating system and application vendors, and delved specifically into Microsoft’s support lifecycle policy and some of the particulars there of which you need to be aware. Next time, in Part 4, we’re going to look at some use case scenarios and the important real life consequences that can come with continuing to use specific outdated technologies in the work place. That will wrap up this four-part series, so be sure to join us then.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.