Wednesday, May 10, 2023

Beware old software

Eventually all software is sent out to pasture, after which you won't get security updates.  Case in point: Cisco will not release security update for end-of-life telephone adapters:

Cisco Systems is warning a critical flaw impacting its IP phone ports allow unauthenticated attackers to execute code remotely on targeted devices and gain full admin privileges. It is urging customers still using the impacted model, SPA 112 2-Port Phone Adapters, to upgrade to its Cisco ATA 190 Series Analog Telephone Adapter to mitigate the flaw.

"Cisco has not released and will not release firmware updates to address the vulnerability that is described in this advisory," the company wrote in a security bulletin on Wednesday.

...

Cisco it was retiring the SPA 112 2-Port Phone Adapters December 2019 and said end-of-life security support for the product would be June 2020. It's unclear how many impacted models might still be in use today.

This is not a slam on Cisco.  They have an excellent security reputation, because they take the issue seriously and invest in it.  However, once one of their devices reaches end-of-life, they are quite clear that they stop maintaining it.  Heck, that's really the definition of end-of-life, isn't it?

The takeaway for us is that the devices that we buy and use are increasingly software reliant, and need regular updates.  When even large, successful companies reach the point that the device is obsolete, we need to recognize that we've gotten all the use out of it that we safely can.  For smaller and less financially stable companies, that day likely will come much sooner.

This specific Cisco problem almost certainly doesn't effect any of the readers here, but the lesson is important.  From a security perspective we need to remember that all things come to an end one day.  Sometimes the best security tool is a forklift ripping out old devices so you can move forward.

6 comments:

Fredrick said...

What exactly is end of life? After they have sold millions of the item and them move to a new one? It sure doesn't work that way with automobiles, some of which people expect never to have to actually maintain. What is, or should be, a reasonable post volume production time for which security updates should be available, and how would one price that into a product?

Chuck said...

All software should pass to public domain when support from the copyright holder is dropped. When they drop support, they are saying that there isn't any economic value left in it which is the point of copyright law to begin with. That would allow anyone that has come to depend on it to choose to update it themselves instead of being forced to replace it.

Richard said...

@chuck
Excellent idea. Microsoft in particular uses the end of maintenance ploy to force adoption of its new, more intrusive and usually inferior version.

lee n. field said...

They can't just open source software that's past EOL. There's going to be code in there that they can't just let people see. And they can't support stuff forever. Yes, we all loved Win 7, but in retrospect, Win 10 does a lot of stuff better.

("What is 'end of life'?" The end of security updates, outside of something extraordinarily dire.)

Windows OS-s (which is where most people notice it) tend to have a good long run, and lots of warning prior to hitting the end. We start bugging our customers the year prior. Got a few Server 2012s out there, that will need replacing.

Richard said...

It has been all downhill since Windows 3.1. Windows 7 was the next best. 10 sucks. I like some level of control over my computer.

Etaoin Shrdlu said...

Open source third party firmware! Some older routers can live on! Just do a search.

IDK about other items.