May 9, 2013

Purpose

Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems.  UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy).  UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.

Windows XP will not be supported after April 2014. Windows versions prior to Windows XP and any version of Mac OS X prior to version 10.6 should be considered unsupported.


Scope

The information in this guidance statement applies to all constituents internal to UAB.

Guidance

We recommend that systems running legacy, unsupported operating systems should not be used. They should be disconnected from the network because of the significant security risk to the university’s network and environment. If the device is critical and cannot be turned off or disconnected, the device should be physically isolated from the university network. If disconnection and/or isolation are not possible, then an exemption and risk acceptance form will need to be completed, signed by the appropriate dean or vice president, and filed with Enterprise Information Security.

Unsupported legacy operating systems:

Windows Family

Windows 95/98/ME

Windows 2000

Windows 2003

Windows XP after April 8, 2014

Mac OS X Family

Mac OS 9.x

OS X 10.5 (Leopard)

OS X 10.4 (Tiger)

OS X 10.3 (Panther)

OS X 10.2 (Jaguar)

Linux Distributions

Ubuntu 11.10 after May 9, 2013

Ubuntu 11.04 and Prior

Ubuntu 10.04.4 LTS

Debian 5.0 (lenny)

Debian 4.0 (etch)

Debian 3.1 (sarge)

Debian 3.0 (woody)

Other Unix OS

AIX prior to 6.1

Solaris prior to 9 (SunOS 5.9)

Questions can be directed to datasecurity@uab.edu or, by calling (205) 975-0842.


References

http://sppublic.ad.uab.edu/policies/pages/LibraryDetail.aspx?pID=38

http://support.microsoft.com/gp/lifeselect

http://www.debian.org/releases/

https://wiki.ubuntu.com/Releases

http://www-01.ibm.com/software/support/aix/lifecycle/index.html

http://www.sun.com/service/eosl/eosl_solaris.html

http://www.computerworld.com/s/article/9229784/Mac_users_left_wondering_if_OS_X_Snow_Leopard_s_retired