Why it matters: A few weeks after a security crisis, QNAP is extending its security updates for some older devices past the date they would generally stop. The situation seems to be an extenuating circumstance rather than a permanent policy change.
Taipei-based tech company Quality Network Appliance Provider (QNAP) announced this week that it would be changing how it handles security for its aging products for most of the remainder of 2022. While the company doesn’t state it outright, this is probably a response to ransomware attacks that targeted its products last month.
It explained that it usually keeps issuing security updates for devices for four years after their end-of-life (EOL) dates. However, with this announcement, some products more than four years past EOL will keep getting security patches until this October.
The list of affected devices includes any Arm or x86 64-bit products that received QTS OS version 4.2.6, 4.3.3, 4.3.6, or 4.4.1. They will only get security updates considered critical or high priority, an example probably being the one QNAP forced on many NAS users at the end of last month to stop ransomware.
In January, the company changed its designated “recommended” OS version, which pushed automatic software updates that, while successful in stopping the ransomware, broke other functionality for some users. The faux pas happened partially because of QNAP’s multi-layered auto-update system, which some users didn’t understand.