The smell of potato chips and a few too many energy drinks wafts through the air. Dawn is still hours away. The dark room surrounds Joe as he smiles in the dim light of the laptop screen. His persistence has finally paid off. He has been dissecting this component for a while. Server 2003 is old. Many of its bugs have been patched, but there are more waiting to be discovered. And now he owns one.
He first started banging on this component after reading about an odd issue that someone reported in a forum. Something clearly wasn’t right. There was a flaw there, if only he could figure out how to exploit it. Each failed attempt brought him that much closer to this moment – he has finally cracked the mystery of this bug. Better yet, this particular bug gives him System access to the server. As far as the server is concerned, he holds the keys to the kingdom. And this one has never been publically reported. He holds access to a zero-day Exploit.
A zero-day is valuable on the black market. But it will be even more valuable if he simply waits a few months. With Server 2003 hitting end of support on July 14, there will be no more security patches coming after that date. As long as he keeps this one secret until then, this bug will be unpatched and viable for a long time. This bug is going to be a gold mine for Joe; he just has to be patient.
˞ ˞ ˞ ˞ ˞ ˞ ˞ ˞ ˞
While this narrative is fictional, it is based in our current reality. Windows Server 2003 reaches end of support on July 14, 2015. At that time, Microsoft will stop producing updates (including security patches) for this 12-year-old operating system.
Any bugs that are not patched as of that date will continue to remain vulnerable. There isn’t really a question of “if” a bug will be discovered, just a matter of ”when.” Because those bugs will not be patched beyond that date, they will continue to be viable avenues of attack for the long term.
Hackers typically spend a significant amount of time discovering and developing an exploit for bugs. As long as a product is within the support period, the bug has a “shelf life” until a patch is developed. However, once a product reaches the end of the support period, this shelf life is essentially open ended. For the hacker, this means they get a significantly longer exploitation time for the effort they put into developing the exploit of a bug.
While that is good news for the hacker, this is bad news for anyone still using software that is beyond the support period. As we have been covering in this blog series on Windows Server 2003 End of Life, companies need to be aggressively dealing with the issue of discovering, assessing and remediating any servers that are still running Windows Server 2003. Time is running out – fast!