New warning issued for 400 million Windows users
Here we go again. Previously fixed Windows vulnerabilities are back to haunt users. And with perfect timing, there’s also a serious new warning for at least 400 million users, all of whom need to act to keep their PCs and data safe from attack.
This is all about timing. The public interest advocacy group PIRG is now campaigning for Microsoft to extend the Windows 10 support extension now available to schools to other users. “In one year, Microsoft plans to end support for Windows 10,” they warn, “potentially rendering up to 400 million computers obsolete overnight. This decision could trigger the single largest surge in junked computers in history, with dire consequences for both consumers and the environment.”
Schools have been given a dispensation from Microsoft ahead of the October 2025 end-of-life (aka end-of-support) deadline for Windows 10. “Windows 10 expires in one year,” PIRG says, “junking millions of PCs… We pushed Microsoft to extend support for schools and we’re advocating for more.” The advocacy network wants a rollover of support arrangements fort home users as well, at low or zero cost.
“Under Microsoft’s new policy,” it says, “schools can keep Windows 10 computers in classrooms safe from attacks for three additional years by paying $1 per computer for the first year, $2 the following year, and $4 the third year.” This is far cheaper than extended support options for enterprises. “Consumers will be able to purchase extended support, although prices have not been announced… We continue to push for an automatic extension of essential security updates for Windows 10.”
Landfill is a serious issue, but there’s an even more alarming security backdrop to this time-bomb. Owners of the 400 million obsolete PCs—plus the other 500 million that can upgrade to Windows 11 but have not—have been given two further warnings to focus minds as to the risks they’re taking and the imperative to act quickly.
First the serious “downdate” threat first outed in August before being patched has returned in part. Microsoft fixed two vulnerabilities following security researcher Alon Leviev’s airing of the risks in August, that a PC could be wound back to be made vulnerable to already patched threats. But Leviev has now warned that “the Windows Update takeover which was reported to Microsoft as well, has remained unpatched, as it did not cross a defined security boundary.”
This is a grey area, as exploitation requires physical, administrative-level access to a device. “Microsoft did fix every vulnerability that resulted from crossing a defined security boundary,” Leviev told Dark Reading. “Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed.”
Still, better to be supported as and when these vulnerabilities are patched, as I assume they will be given past practice. The same should be true for the Windows Theme vulnerability that’s now being reported as a zero-day, albeit it should have been patched. Per Cybersecurity News, “Acros Security researchers reported that even though Microsoft recently issued a patch (CVE-2024-38030) to address the associated problem, the risk was not entirely mitigated.”
The point is not the specifics of either vulnerability—because, let’s face it, Windows zero-days have turned up like buses in recent months. The issue is the reliance that hundreds of millions have on automated, blind-faith support coming to a sudden end a year from now. The Windows ecosystem just isn’t ready for that.
“The one-year countdown clock is ticking,” warns PIRG, launching a petition to push Microsoft into extending support. “While Microsoft is celebrating their earnings, the company should decide to lead the technology industry to support longer lasting products. Automatically extending Windows 10 could stop the largest surge of junked computers and help the tech giant meet its ambitious sustainability goals.” I have approached Microsoft for any comment on the PIRG report.
As laudable as these sustainability goals might be, the security imperative is more urgent. That countdown clock is a nightmare about to come true for Windows users the world over. And you can be sure there will threat actors operating on an industrial level to exploit newly arising vulnerabilities if the current confusion persists.