Keeping enterprise IT systems updated with patches is tough enough, but legacy software and software that's no longer supported by vendors pose an added challenge.
For example, where does a company running Oracle 7, which is no longer supported by Oracle, turn when a new security vulnerability is found in supported versions of the database? Bug finders who scour software for flaws wouldn't be much help because they tend to focus on newer versions of products. Often they don't have the time or resources to go back and check every version of an application to see whether a specific vulnerability is present.
Software vendors also wouldn't be of assistance because they focus on their supported versions.
Even if vulnerabilities are located in an older system, there is not a lot of hope a patch will be available to fix it.
This dynamic highlights some of the security risks that exist when an enterprise runs software that is no longer supported by vendors and demonstrates how security has become an important factor when considering software upgrades, experts said.
On the other hand, there are advantages to legacy software. Often, a company finds that an older software version is more than enough for its needs. Also, there are some security benefits to using older software that isn't being targeted by virus writers and malicious hackers.
For example, some British companies use financial applications that run on OS/2, said Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure, enterprise-based accounting software. "They enjoy a little more security, as people aren't focusing on them," he said.
Yet should attackers turn their attention to such systems or if a vulnerability is found, users wouldn't have much recourse, Mullen said.
Experts said that attackers generally won't target these applications or hardware because the products are so old they don't have access to learn of their insecurities. Often software that has recently been de-supported presents the greatest risk to a company. Much older versions could pose less risk.
"You do have some security by obscurity, but you shouldn't rely on that," said David Litchfield, a well-known vulnerability finder and co-founder of Next Generation Security Software, based in Sutton, England.
Legacy software also has the benefit of having years of use in the field. For example, so many of the bugs in NT 4 have been found that you "can almost trust it [today]," Litchfield said. "NT 4 has been put through the mill."
The number of vulnerabilities left to be uncovered in Windows 2000 or Windows XP is much greater, Litchfield said.
Yet there is more to security than vulnerabilities. Newer versions of applications, especially operating systems, have security more at the core of their design, Mullen said. With older versions, security was retrofitted. This is especially true of applications created before the rise of the Internet. For example, security measures for NT 4 are much more manual, Mullen said. Keeping older versions secure can take a bit more tweaking and configuring.
Windows 2000, by contrast, supports IPsec. NT 4 would require firewalls and other devices to give it the same level of security, Mullen said.