Why is it dangerous to go on using an LM 18.3 after EOL?

[karlchen]

Split off from the support thread: How to update Firefox on an End Of Life LM 18.3 ?
--
Hello, spamegg. Hello, Hoser Rob. Hello, anyone else, who shares the same point of view.

It's not safe to connect to the internet on an 18.3 machine. Don't do it.

I won't say that Mint 18 is unsafe to use on the internet....

I certainly would.

What this post does not aim at:
It is not my goal to question that it makes sense to upgrade LM 18.x systems to a supported release like 19.x or 20.x, because LM 18.x has passed the end of it supported life.

What the goal of this post is:
Please, convince me that and why what I am doing is dangerous. Explain to me, please, what precisely is dangerous. Give me examples perhaps.

Relevant details about my Linux Mint 18.1 xfce system:
Yes, it is still LM 18.1 xfce. But Firefox and Thunderbird are the most recent releases nonetheless. UFW has been enabled. Moreover my DSL router has got an internal firewall as well.

Code: Select all

karl@unimatrix0 ~ $ inxi -Sx3
System:    Host: unimatrix0 Kernel: 4.4.0-210-generic i686 bits: 32 compiler: gcc v: 5.4.0 Desktop: Xfce 4.12.3 
           tk: Gtk 2.24.28 info: xfce4-panel wm: xfwm4 vt: 7 dm: MDM Distro: Linux Mint 18.1 Serena base: Ubuntu 16.04 xenial 
karl@unimatrix0 ~ $ firefox --version
Mozilla Firefox 89.0.2
karl@unimatrix0 ~ $ thunderbird --version
 Thunderbird 78.11.0
karl@unimatrix0 ~ $ LC_ALL=C sudo ufw status
Status: active

In addition, this LM 18.1 xfce has received its most recent updates, provided by Ubuntu in the official Xenial repos, end of May 2021, a python-apt update even on June 3rd.

(Click on thumbnail to see the screenshot LM18.1_updates_after_EOL.png fullsize)

Why should I assume that using this LM 18.1 in June 2021, 2 months after the end of its supported life, for e-mailing with Thunderbird 78.11.0 and surfing the web with Firefox 89.0.2 were more dangerous than doing the same things with LM 19.3 e.g., using the same Thunderbird and Firefox versions?
I am sceptical.
Convince me, please.

Regards,
Karl

[Reddog1]

I note that your system is 32 bit. That eliminates Mint versions above 19.3, because Ubuntu has dropped 32 bit and is 64 bit only with release 20.04. You are going to need to look for a different distribution than an Ubuntu-based one. Mint 19 is LTS until 2023. Debian is continuing to offer a 32 bit version and will probably do so for some time. Since the newest versions of Mint are 64 bit, you might as well choose a 32 bit LTS Debian iso and go for it now

https://cdimage.debian.org/debian-cd/cu ... so-hybrid/

[all41]

Why should I assume that using this LM 18.1 in June 2021, 2 months after the end of its supported life, for e-mailing with Thunderbird 78.11.0 and surfing the web with Firefox 89.0.2 were more dangerous than doing the same things with LM 19.3 e.g., using the same Thunderbird and Firefox versions?
I am sceptical.
Convince me, please

A man convinced against his will
Is of the same opinion still
lol

[Schultz]

Here you go, on a silver platter: https://www.mozilla.org/en-US/firefox/a ... op-release

Reddog1 wrote:
I note that your system is 32 bit.
. . .
Since the newest versions of Mint are 64 bit, you might as well choose a 32 bit LTS Debian iso and go for it now

You do realize you're responding to a global moderator, Karlchen, and not the OP? I highly doubt he will switch to a different distro.

[Reddog1]

Well, in 2023 he's going to have to--or buy new equipment LOL

[Pierre]

even though that LM18x system is now EoL, you can still use it,
although, as more Time is passing, it would become even less secure as an operating system.


IE: I've got an even older LinuxMint system, that is running on an even older Laptop,
and I'm aware of how insecure it really is, and that the only thing that gets updated on it,
is that same Firefox /32bit program.

[Schultz]

Well, in 2023 he's going to have to--or buy new equipment LOL

Why? It'll still work (although I wouldn't use something that out of date by then on the internet). Or is there something I'm missing?

[HaveaMint]

I tend to feel if a person doesn't blatantly visit strange or underground sites then I don't see the problem. If one is careful about their browsing habits and you like what you're running go for it. If all you do is weather , Mint forums, News and movies what's the problem.

[karlchen]

Hello, guys,

who have bothered to reply so far, thank you for your time and thoughts.
Nonetheless, I am afraid that so far all your replies are off-topic with respect to my request :

What the goal of this post is:
Please, convince me that and why what I am doing is dangerous. Explain to me, please, what precisely is dangerous. Give me examples perhaps.

Regards,
Karl

[t42]

karlchen wrote: 27 Jun 2021 18:50
What the goal of this post is:
Please, convince me that and why what I am doing is dangerous. ... Give me examples perhaps.

That was my thought exactly after I read this in the forked thread:

spamegg wrote:
It's not safe to connect to the internet on an 18.3 machine. Don't do it.

I have one such LM18.3 XFCE PC which I'm using with latest FIrefox ESR (delaying an introduction of new features Firefox ESR has smaller attack surface), uBlock Origin and NoScript plus Firewall, double NAT, encrypted DNS. Probability of direct attack is low. Security updates provided are mostly for exploits requiring local access - physical access or local shell account. So feeling pretty safe themselves on this PC, though do not give this machine to some inexperienced person. Still I'm interested in some real life security incidents too.

[Pjotr]

Please, convince me that and why what I am doing is dangerous. Explain to me, please, what precisely is dangerous. Give me examples perhaps.

An attempt:

On a system that's connected to the internet, it's not enough to have an up to date web browser and e-mail client (although that's of course the most important software to keep up to date).

Other parts of your system are potentially vulnerable for remote attacks as well, which is why they need security updates. If not, the devs wouldn't put so much effort into these almost daily security updates that we get....

Just a general observation coming from what I see as common sense.... I'm far too lazy to dig up real-life examples.

If you're interested, you can read the Ubuntu CVE's here, and try to find out about any remote attack risks that the security updates fix (and how dangerous they are for you -or not-):
https://ubuntu.com/security/notices
That should allow you to make a sound (gründlich) fact-based risk assessment.

But my advice would be: play it safe and upgrade to a supported distro. If you need a lightweight 32-bit, I recommend Bodhi Linux. A 32-bit edition of Bodhi Linux 6.0, which will be based on Debian instead of the Ubuntu 20.04 which is the base for its 64-bit editions, is just around the corner: I expect the release of the 32-bit edition within the coming days.

[cliffcoggin]

It seems to me the problem lies in the over simplified binary classification of risk as either safe or dangerous, with nothing in between. Surely the reality is that there is a slowly increasing risk as an OS exceeds its EOL date, rather than the dramatic "end of the world" scenario so often presented when a certain moment in time is passed?

[oldgranola]

A question that I hope is sufficiently on topic. Will the update sources for 18.3 even be available in the future? I noticed I had to uninstall and reinstall some applications, particularly non ubuntu PPAs in going to LM20 as the sources were not quite the same. You can always install your own kernels of choice from the official kernel.org source to get the latest of course. If one ends up with a mix, I would also worry about incompatibilities such as trying to run python3 apps with a python2 based system

[thx-1138]

Please, convince me that and why what I am doing is dangerous. Explain to me, please, what precisely is dangerous. Give me examples perhaps.

Why should I assume that using this LM 18.1 in June 2021, 2 months after the end of its supported life, for e-mailing with Thunderbird 78.11.0 and surfing the web with Firefox 89.0.2 were more dangerous than doing the same things with LM 19.3 e.g., using the same Thunderbird and Firefox versions?
I am sceptical.
Convince me, please.

Let's see...how about...
lsof -P -p $(pgrep firefox) | grep '\.so' | awk '{print $9}' | grep -v firefox | less
126 libraries loaded in total...which are not pre-included with the "latest shiny firefox tar.gz" from Mozilla.
Latest or not latest Firefox...it loads unsupported versions of libraries, as in:
you're not actually doing the exact 'same things' if we really want to be pedantic...
(and from a quick glance, i can very quickly see libxml, libpng, zlib, pcre, freetype...
ie. relatively usual suspects with a pretty colorful history record of CVEs).

Now, if someone wanted to (supposedly) be 100% certain that firefox doesn't load unmaintained & potentially vulnerable code,
he/she would have to upgrade the following...

Code: Select all

lsof -P -p $(pgrep firefox) | grep '\.so' | awk '{print $9}' | grep -v firefox | xargs dpkg -S | awk '{print $1}' | cut -d: -f1 | sort -u

That is, 105 packages in total...

...ie. the end-user is free to dig through the net to see which ones of those 105 packages,
received updates to resolve possible remote execution issues, during those latest 2 months.
It might very well be absolutely none. I don't doubt that at all -
but i certainly didn't bother checking such one by one...

However, it's also not Firefox-specific: the end-user should furthermore rinse & repeat the above,
for other common & daily used software as well: eg. thunderbird, soffice, vlc, the image viewer, the pdf reader etc.
Basically, for every software which receives / parses data from random online sources out there one way or another
(movies from torrent sites, photos, e-books, you name it)...
Someone doesn't really have to worry much for eg. libobscure.so or libyeahwhatever.so, fair enough.
You do have to worry though for eg. libheif, libmatroska, libpng, poppler...

To not sound as an alarmist / scaremonger,
i do currently type this from a partition with Mint 18.3, FF 89 & linux-5.10-oem...
It's not my main playground though currently - or better said, at this point in time, i keep it around exactly as a playground.

PS: At the risk of sounding paternalistic
(not referring to Karl here, he more than obviously knows very damn well what to do, how & when),
when eg. Clem says that people should keep their systems updated in a relatively reasonable timeframe,
no, most likely he did not got hired from Microsoft, got secretly in cahoots with Gates,
re-located in Redmond or something, and decided to 'force updates' onto people.
Far more likely that he just doesn't want people to have to deal with all of the above,
manually digging / monkey-patching and what not, or worse yet, possibly get into more awkward situations (the 'who knows' part).
See Pjotr's advice above as well: if it's your main system, your actual workplace (and not just a 'playground'),
keep it simple, and use something properly supported instead...

[karlchen]

Good evening, Pjotr, cliffcogin, oldgranola, thx-1138.

Thank you very much for taking the time to post replies, which really take my question(s) into consideration.

To everyone,

please, do not assume that my questions were purely rhetorical.
I am not a security expert or a security instructor, who asks his students questions, the correct answers of which he already knows.
I am not an instructor and you are no students. We are all Linux Mint users, having different levels of skills and knowledge in different Linux Mint related areas.

In brief, I am really interested in learning understandable reasons and arguments, why going on using an OS, which has passed its EOSL, will become dangerous, even in case the browser and the e-mail client are kept up-to-date.

Best regards,
Karl

[Larry78723]

Good evening Karl,

Have you given any thought as to why we consistently get kernel updates? It seems to me that updates within a kernel series may be primarily to fix security holes. New capabilities seem to always go into a new kernel series. I believe this is why they can get away with not updating the kernel in an LTR iso.

This is all conjecture on my part so I may be all wrong.

Best Regards,
Larry

[Flemur]

Why is it dangerous to go on using an LM 18.3 after EOL?

magic8ball.jpg (2.96 KiB) Viewed 1509 times

[BenTrabetere]

why going on using an OS, which has passed its EOSL, will become dangerous, even in case the browser and the e-mail client are kept up-to-date.

I am not a security expert, and I do not feel qualified to offer you advice. That said, the browser and email client are not the only aspects to consider; there are a lot of components that receive security updates, and I imagine it would be very difficult to identify all of them and apply the patches manually.

For example, a couple of weeks ago my LM 19.3 received (urgency=medium) security updates for the bluez and imagemajick packages; I may be wrong, but I consider both to be system packages and need to be up-to-date.

[t42]

the bluez and imagemajick packages

More details to consider their severity:

BlueZ June 16
CVE-2020-26558
BlueZ incorrectly checked certain permissions when
pairing. A local attacker could possibly use this issue to impersonate
devices.

imagemagick June 15
USN-4988-1
It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

BTW imagemagick always was a stream of vulnerabilities. On my systems

Code: Select all

apt policy imagemagick
imagemagick:
  Installed: (none)
  Candidate: 8:6.9.10.23+dfsg-2.1ubuntu11.4

Still, for me this is the most convincing argument in this thread:

Let's see...how about...
lsof -P -p $(pgrep firefox) | grep '\.so' | awk '{print $9}' | grep -v firefox | less
126 libraries loaded in total...which are not pre-included with the "latest shiny firefox tar.gz" from Mozilla.

[Hoser Rob]

The OP simply doesn't want to hear it.