UK NCSC warns developers and companies to upgrade from Python 2 to avoid large scale attacks

• Python 2 is approaching End-of-Life (EoL) on January 1st, 2020 after which it will not receive any updates or bug fixes.
• Python 2 applications could be victims to WannaCry or Equifax kind of hacks if developers do not upgrade to Python 3.0 or higher version.

Security researchers at the UK’s National Cyber Security Centre (NCSC) have warned developers over the dangers of using the popular Python 2 programming language as it is impending End-of-Life (EoL). The warning also reiterated that there will be no bug fixes or security updates for Python 2 as it is approaching EoL on the 1st of January, 2020.

Why is Python 2.x vulnerable?

Companies that are still using any version of Python 2.x are recommended to migrate their code to the next version Python 3.x because the developers will stop issuing bug fixes and security updates after EoL. This will leave applications that use Python 2.x vulnerable as nobody is fixing the flaws. As a result, this could lead to risking the data and security of many existing applications.

What kind of attacks could target Python 2.x applications?

Running an unsupported software application can act as a classic gateway to many breaches and incidents as shown in many incidents across the globe. Some of the examples are the WannaCry ransomware that infected more than 230,000 computers across the globe and the latest Equifax breach that resulted in the settlement of $700 million to the security regulation body.

In addition to these highly destructive threats, threat actors can target popular applications including NumPy, Requests, and Tensorflow, etc., that run on Python 2.x. Many of these popular projects have already dropped support for Python 2.x and others have pledged to drop them by 2020.

Time to move to Python 3

"If you're still using 2.x, it's time to port your code to Python 3.x. If you maintain a library that other developers depend on, you may be preventing them from updating to 3," the agency said. "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others," added the NCSC.

Mitigation

NCSC urged companies and developers to migrate their Python 2.x code to Python 3.0 or higher. NCSC also published a blog post which includes a summary of Python 3's most attractive features, but also a list of tools and git repository links that can help developers with the migration, such as Can I Use Python 3, 2to3, and many more.

"If migrating your codebase to Python 3 is not possible, another option is to pay a commercial company to support Python 2 for you," said the NCSC.