Exactly how vulnerable are unsupported versions of Ubuntu?

[Hylas de Niall]

The purpose of this thread is to enlighten both myself and other users about the frequently mentioned dangers of running versions of Ubuntu that are past their 'end of life'.

Many folk (myself included) still have hardware that can't run newer Ubuntu releases, but which can run older versions with ease. We are always reminded of the 'vulnerabilities' of out of date releases, but what exactly are the dangers? Is it really all that hazardous?

I'd love to keep running Lucid on a couple of my machines.

Thanks in advance.

[grahammechanical]

It is your machine. It is your decision. Canonical agreed to supply security patches for a specific amount of time and they have kept to their agreement. That is about it really. How vulnerable was Lucid at the time those security patches were being supplied?

The Ubuntu Weekly Newsletter always supplies a list of Updates and Security updates for all the in-life Ubuntu releases. Links are provided to emails that explain (or not) why the patch needs to be applied. Judge for yourself how necessary they are. But these patches are available and it is good that we get them. I value the way Linux and Ubuntu developers are continually keeping the distribution up to date. This is a better way than waiting until there is a major breach in security and then rushing out a fix which some users may not apply and so open a vulnerablity to other machines running the same OS.

The fact is that life moves on. Newer Linux kernels are developed and support for older kernels is dropped. What kernel do you have in Lucid? Linux 2.6? Well, Saucy Salamander has Linux kernel 3.11.

Regards.

[mörgæs]

Why do you want to take the risk if you can just install Lubuntu 13.04?

The single most effective means in keeping safe is using updated software (not thereby saying it's the only step you need).

[vasa1]

The purpose of this thread is to enlighten both myself and other users about the frequently mentioned dangers of running versions of Ubuntu that are past their 'end of life'.

Many folk (myself included) still have hardware that can't run newer Ubuntu releases, but which can run older versions with ease. We are always reminded of the 'vulnerabilities' of out of date releases, but what exactly are the dangers? Is it really all that hazardous?

I'd love to keep running Lucid on a couple of my machines.

Thanks in advance.

"Exactly" in the title and body of your question would be related to each vulnerability and whether the OS version is affected or not.

Anyway, without any official figures, I'd hazard a guess that most of the "issues" arise because of "social engineering". In other words, two people, both with exactly the same outdated software and hardware may be affected differently. One opens dodgy emails and responds to "Congratz: you have won a billion dollars". The other user doesn't.

[Rob Sayer]

As far as security goes, I'd take a no longer updated version of ubuntu over a current version of windows anytime.

[newb85]

As far as anything goes, I'd take an EOL version of Ubuntu over a current version of Windows any time.

It's really hard to say "exactly". Exactly what kind of answer were you looking for? A percent chance you'll regret the decision?

Vasa1 makes an excellent point--basically, it depends on your interaction with the outside world. If you're aware of the risk you're taking and you're extra careful, it will take your risk down somewhat.

As a side note, there are other things to consider in the decision whether or not to upgrade. For one thing, the more out-of-date you become, the harder it becomes to get support from the forums. Everyone else moves on, and your issues become ancient history. Also, support for interaction with the outside world can become an issue (flash support comes to mind, but I know there are others).

Lubuntu has been recommended. If you'd rather not jump from Gnome2 (which is no longer supported) to LXDE, though, I would suggest you use MATE. It's a fork of Gnome2 that is still supported (though not by the Canonical team). It's used by Linux Mint, so it's probably not going away any time soon. More at http://mate-desktop.org/

[tgalati4]

I'm running Linux Mint Mate 14 on some older machines. It will give you a similar environment to 10.04. In some respects older kernels and hardware are less vulnerable--security by obscurity. If there is a massive Android infection, are your machines going to be infected? Probably not. Even if there is an exploit on a newer linux system, the fact that the frameworks have changed so much means that the exploit may not work on older systems.

I agree, social engineering is more of a problem, regardless of your operating system.

So keep running your systems until they burn up, cease to boot up, or they no longer do what you want them to do. Some people still use typewriters. They can certainly type faster on a typewriter than on an iPad.

If you have several machines, take just one and put a newer distro on it. RAM is key. You will need to buy some RAM to max out older hardware.

I'm replying to this post on a 2005 Dell Inspiron 600m laptop. Cracked bezel and dodgy battery. Runs Linux Mint Mate 14 (based on 12.10) just fine. I just updated the kernel to 3.5.0.40. Of course, I put in more RAM, from 512MB to 2 GB, the maximum. So if you can find RAM for an older machine, you can run current distros and at least have the illusion of being secure.

[buzzingrobot]

The vulnerabilities are impossible to quantify. Unsupported systems, by definition, are vulnerable to exploits created after their EOL.

Linux, of course, is targeted much less.

If you can stay current with the apps used to access the net -- browser, mail, etc. -- you will decrease your vulnerability. These things are easily installable from files provided by Mozilla/Google/Opera/etc and typically can update themselves.

If you have the skills and patience, you can backport kernel and other patches yourself.

Red Hat maintains a 2.6 series kernel for RHEL 6 that is very well-patched. It's available from the CentOS repos. Dunno if it would work with Ubuntu releases of the same vintage as RHEL6, but it might be an amusing experiment. And, you could always try a current Ubuntu mainstream kernel.

Still, the best, the only, way to get the Gnome 2 interface on a current supported base is to install Mate. Some name changes were needed but it's the old Gnome 2 base recompiled and massaged for 2013.

[Hylas de Niall]

As far as security goes, I'd take a no longer updated version of ubuntu over a current version of windows anytime.

In essence that was what i was asking about.

With the impending EOL of Win XP there will be a lot of hardware that won't be capable of running newer releases (due to driver support in newer kernels) even of lightweight distros. It would be a shame for them to go to landfill when they can still be run efficiently with older Ubus.

To refine my original question - bearing the above premise in mind - would running out-of-date Ubus be as safe as running XP (even while it's supported)?

Thanks,

[BBQdave]

With the impending EOL of Win XP there will be a lot of hardware that won't be capable of running newer releases (due to driver support in newer kernels) even of lightweight distros.

An old desktop that my Mom was using had Windows XP - wiped it long ago and installed Linux for her. When she updated to a new desktop a few years ago, I took her old desktop - 256 Mb of RAM - and it is now an Ubuntu 12.04LTS file server

With old hardware, I think it is a choice of repurposing. I could max out the RAM to 1 Gb, and run Lubuntu or Xubuntu nicely - but the original machine with original hardware, works nicely as a file server.