Wednesday, November 6, 2024

Microsoft Update Warning—400 Million Windows PCs Now At Risk

Must read

Updated on November 1 with reaction to Microsoft’s surprise move to extend support for the hundreds of millions of PCs that would otherwise be at risk.

Here we go again. Previously fixed Windows vulnerabilities are back to haunt users. And with perfect timing, there’s also a serious new warning for at least 400 million users, all of whom need to act to keep their PCs and data safe from attack.

This is all about timing. The public interest advocacy group PIRG is now campaigning for Microsoft to extend the Windows 10 support extension now available to schools to other users. “In one year, Microsoft plans to end support for Windows 10,” they warn, “potentially rendering up to 400 million computers obsolete overnight. This decision could trigger the single largest surge in junked computers in history, with dire consequences for both consumers and the environment.”

ForbesGoogle Warns 2 Billion Chrome Users—Update Now As Apple Reveals Dangerous New Threat

Schools have been given a dispensation from Microsoft ahead of the October 2025 end-of-life (aka end-of-support) deadline for Windows 10. “Windows 10 expires in one year,” PIRG says, “junking millions of PCs… We pushed Microsoft to extend support for schools and we’re advocating for more.” The advocacy network wants a rollover of support arrangements fort home users as well, at low or zero cost.

“Under Microsoft’s new policy,” it says, “schools can keep Windows 10 computers in classrooms safe from attacks for three additional years by paying $1 per computer for the first year, $2 the following year, and $4 the third year.” This is far cheaper than extended support options for enterprises. “Consumers will be able to purchase extended support, although prices have not been announced… We continue to push for an automatic extension of essential security updates for Windows 10.”

Landfill is a serious issue, but there’s an even more alarming security backdrop to this time-bomb. Owners of the 400 million obsolete PCs—plus the other 500 million that can upgrade to Windows 11 but have not—have been given two further warnings to focus minds as to the risks they’re taking and the imperative to act quickly.

First the serious “downdate” threat first outed in August before being patched has returned in part. Microsoft fixed two vulnerabilities following security researcher Alon Leviev’s airing of the risks in August, that a PC could be wound back to be made vulnerable to already patched threats. But Leviev has now warned that “the Windows Update takeover which was reported to Microsoft as well, has remained unpatched, as it did not cross a defined security boundary.”

This is a grey area, as exploitation requires physical, administrative-level access to a device. “Microsoft did fix every vulnerability that resulted from crossing a defined security boundary,” Leviev told Dark Reading. “Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed.”

Still, better to be supported as and when these vulnerabilities are patched, as I assume they will be given past practice. The same should be true for the Windows Theme vulnerability that’s now being reported as a zero-day, albeit it should have been patched. Per Cybersecurity News, “Acros Security researchers reported that even though Microsoft recently issued a patch (CVE-2024-38030) to address the associated problem, the risk was not entirely mitigated.”

The point is not the specifics of either vulnerability—because, let’s face it, Windows zero-days have turned up like buses in recent months. The issue is the reliance that hundreds of millions have on automated, blind-faith support coming to a sudden end a year from now. The Windows ecosystem just isn’t ready for that.

“The one-year countdown clock is ticking,” warns PIRG, launching a petition to push Microsoft into extending support. “While Microsoft is celebrating their earnings, the company should decide to lead the technology industry to support longer lasting products. Automatically extending Windows 10 could stop the largest surge of junked computers and help the tech giant meet its ambitious sustainability goals.” I have approached Microsoft for any comment on the PIRG report.

As laudable as these sustainability goals might be, the security imperative is more urgent. That countdown clock is a nightmare about to come true for Windows users the world over. And you can be sure there will threat actors operating on an industrial level to exploit newly arising vulnerabilities if the current confusion persists.

ForbesNew Samsung Update Warning For Millions Of Galaxy Owners—Check Your Phone Now

Better news for Windows 10 users with Microsoft finally announcing an extended support option for the hundreds of millions of users due to see their support end in October 2025. “For the first time ever,” Yusuf Mehdi, the company’s Consumer Chief Marketing Officer, blogged on Thursday, “we’re introducing an ESU (extended security update) program for personal use as well. The ESU program for consumers will be a one-year option available for $30. Program enrolment will be available closer to the end of support in 2025.”

That said, the post itself is all about the benefits of moving to Windows 11, and the extended support option is only available as a paid subscription and only runs for a single year. The clear risks are that consumers won’t pay the fee and the cliff-edge simply splits between those paying and those not, and then those who have paid facing the same challenge twelve months later.

In that regard, Mehdi has also confirmed the end to the support currently in place for Windows 10 users. “Starting Oct. 14, 2025, Windows 10 will no longer receive security updates. As security threats evolve and adapt, so must our operating systems and hardware. Because of this, we designed Windows 11 to be the most secure version of Windows ever — by default and design — to help you stay ahead of those risks.”

Mehdi also re-emphasized the hardware/software linkage that has driven the upgrades hurdles that have qualified out those 400 million PCs. “Advanced security features include hardware-based protection through TPM 2.0, enhanced authentication methods and virtualization-based security fully enabled by default. Windows 11 also includes phishing protection, offering robust defense mechanisms, and provides an extra layer of security against common and persistent cyberattacks, like attempts to compromise login credentials or install malware.”

It will be interesting to see what response this gets from the Windows 10 die-hard, those currently refusing to budge to Windows 11, especially those whose hardware actually complies but have thus far chose to stand still.

“As we approach the end of support for Windows 10 on Oct. 14, 2025,” Mehdi posted, “we want to ensure you are well-prepared for the transition to Windows 11. This milestone marks an important step in our mission to provide the most modern and secure computing experience possible for everyone whether at work, school, or home… We are incredibly grateful for your loyalty and passion for Windows 10, and we are working hard to make it easy to move to Windows 11.”

Mehdi’s announcement was greeted with a mixed response from both analysts and users. The Register neatly summed up the key problem. “As of last month, Windows 10 had 62.75 percent of Redmond’s OS market share, compared to 33.42 percent for the newer version ago. Perhaps that’s why the software behemoth has decided to offer Extended Security Updates – previously only available for business, education, and government users – to anyone who wants them.”

The challenge then becomes one of what then? This ruins the risk of simply delaying the problem while undermining the security imperative that Microsoft has been pushing for Windows 11, that marriage of secure hardware and software.

The more serious challenge, though, will be one of user inertia. At last count, estimates are that there remain 900 million PCs running Windows 10, of which only 400 million are not technically capable of the leap to Windows 11.

ForbesNew Android Spyware Warning—Do Not Install These Apps

As such, the question will quickly become how many of those are home users, and then how many of those home users will actively take out a paid 12-month security subscription. The risk will be a backlash that users haven’t been given a 12-month free reprieve, to give everyone more time to move.

The Verge commented on this seeming confusion for users. “After originally saying it was done with major Windows 10 updates in 2023, Microsoft switched up its approach earlier this year in a confusing move that could help Windows 10 usage remain strong. The software giant took the unusual step of reopening its beta program for Windows 10 users in June to test new features and improvements to an OS that it’s supposed to be ending support for next year.”

Perhaps the more serious issue is that this just reinforces the Windows 10 die-hard movement, and plays to the agenda that it’s a much more loved OS than the newer alternative. “It’s likely,” The Verge suggests, “that Windows 10 usage will continue to remain strong throughout 2025 and beyond.”

Typically, Redditors have not held back their views on the news. “They have close to 40% profit margin,” commented one, “they make too much money to care what we think of their products.” Another said simply “they prioritize profits over user loyalty, sadly.” While echoing the impending (now delayed) security issue, another poster framed the risk: “Forget 2025, I’m calling it now, in 7 or so years there’s gonna be a spree of hacked computers in a whole bunch of under funded institutions.”

On the other hand to balance the argument, other posts welcomed the move, “they’ll just push Windows 10 EOL further around next summer,” said one. “I don’t think MS have the heart to leave 50%-60% of all computers worldwide vulnerable to malware.” Another posted (somewhat hopefully) that “a lot of Microsoft services are EOL next year, they’re cleaning up the house. They will likely still publish critical patches for everyone like they did with older versions but don’t expect a lot more than that.”

Meanwhile Neowin offered a reminder that this is just a sticking plaster approach and doesn’t really extend the full service currently offered. “It is worth noting that the Extended Security Updates program only grants access to security patches and fixes, so do not expect new features and major changes during that period,” albeit “with eleven months of mainstream support ahead, Microsoft is still adding some interesting changes to Windows 10.” Not for much longer, though.

Whether framed as good or bad news, it’s certainly notable that Microsoft has seemingly felt compelled to take this step, given low Windows 11 conversion rates. “This is the first time Microsoft is offering an ESU program for consumers, which is very notable,” XDA Developers reported. “You may recall than an ESU program also existed for Windows 7, but it was only available for business customers. Windows 10 was a massively popular operating system, mainly because it was a free upgrade for both Windows 7 and Windows 8.1, and it brought things much closer to the desktop experience users expected after the fiasco that was Windows 8. With Windows 11 being significantly different in a few ways, many users aren’t ready to upgrade, so Microsoft is throwing those users a lifeline, even if it’s only for an extra year.”

Latest article