NCSC warns organisations to dump Python 2 or risk WannaCry-style cyber attacks

Python 2.x will no longer receive bug fixes and security patches from January 2020

The National Cyber Security Centre (NCSC) has warned organisations running Python 2 applications to update within months or risk WannaCry-style cyber attacks.

Python 2.0 was released on 16 October 2000 and Python 2.7, originally set for end-of-life in 2015, will finally go out of support in January 2020. That end-of-life date was put back because of the large number of applications that would need to be migrated to Python 3, which was released in December 2008.

But organisations that haven't shifted or discontinued Python 2-based apps by January 2020 will no longer receive bug fixes or security updates from Python's core developers.

Given that's a little over four months away, the NCSC is urging organisations to port their code to Python 3 ASAP, if they haven't already done so, warning that if they don't they are "risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing".

The NCSC warning continues: "The WannaCry ransomware provides a classic example of what can happen if you run unsupported software. It infected more than 230,000 computers, causing major disruption around the globe. More recently, the Equifax breach has resulted in a settlement of up to $700m."

The risk of a WannaCry or Equifax-style incident isn't the NCSC's only concern. It notes that many popular projects such as NumPy, Requests, and TensorFlow have pledged to drop support for Python 2.x by 2020 and some already have.

"This means that if you want to use the latest features of your favourite modules, you'll need to be using Python 3," the NCSC said. "The longer you wait to update, the more the Python 3 versions of your dependencies will have changed, and the more difficult updating will become."

It also urging devs who maintain a library that others rely upon to take heed of its warning, noting: "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others.

"You may not publish any code outside of your organisation but consider your colleagues who may also be using your code internally."

The NCSC's blog, warning of the impending end-of-life, also outlines the benefits of Python 3, and lists a number of tools and resources available to make porting code easier, such as the Can I Use Python 3 application, which checks project dependencies, and 2to3, a Python application that can help convert Python 2.x code to Python 3.