Upgrade your end-of-support Microsoft products as soon as possible, urges HKCERT

If your refrigerator supplier stops providing maintenance services, will you “ignore it” and let the refrigerator’s fresh-keeping and refrigeration functions gradually disappear to become a hotbed for gems? Likewise, the security risks you face will only increase if you stick to computer operating systems and applications that no longer receive any official patches, technical support, and security updates.

In November last year, Microsoft announced that a series of its products including Microsoft Office 2013, Windows Server 2012 and 2012 R2 will reach the end of support (EOS) this year (click here for full list). However, according to the latest data from third-party network-connected device search engine, Shodan, as of early January this year, there are around 97,000 computers in Hong Kong that are still running on Windows Server 2012 and 2012 R2.

Subscribe to our Telegram channel to get a daily dose of business and lifestyle news from NHA – News Hub Asia!

The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) under the Hong Kong Productivity Council said if enterprises and personal users continue to use EOS applications and operating systems, they will face the following risks:

1. Since EOS Applications and Operating Systems (OSs) will no longer receive any patches, technical support, and security updates, whenever new security vulnerabilities appear, hackers and malware are easier to infiltrate, leading to a higher risk of a data breach;
2. Running EOS applications and OSs might lead to software compatibility issues; and
3. Due to compliance regulations and system security policies of specific industries, using the EOS OSs might not be certified or lead to compliance issues.

Hence, HKCERT urges users of such products to take the below measures as soon as possible:

1. Related users should plan and upgrade their operating systems to supported versions as soon as possible, (e.g., Microsoft Office LTSC 2021/ 365 and Windows Server 2022).
2. For those already with plans to upgrade their operating systems, but unable to do so before the deadline, they can purchase Extended Security Updates (ESU) service from Microsoft to secure extra time, if applicable.  For example, users of Windows Server 2012/R2 who have purchased ESU services can still receive critical and important security updates until 13 October 2026.
3. Migrate to Cloud Virtual Machines (some cloud service providers will provide ESU for three years after the end of support); and
4. For legacy applications that are not compatible with the supported OS version or patches provided by the ESU service, placing the related system on an isolated network is recommended. System administrators should source an alternative application compatible with the supported OS version.

For information security-related incidents, for example, ransomware, phishing, denial of service attacks, etc., please report to HKCERT through its online Incident Report Form at https://www.hkcert.org/incident-reporting. For other enquiries, please contact HKCERT by at [email protected] or call its 24-hour hotline: 8105 6060.

Source: HKCERT