Yesterday – Tuesday, October 14th- marked the official “Day After” – the first full day following the End of Support for Windows 10 on October 13th. That “end” also marked the beginning…of the uncertain future that Microsoft’s abandonment of a major- and widely used operating system has set in motion. That is why SRFF, the Secure Resilient Future Foundation, is joining other leading organizations in calling on Microsoft to reverse course: extending its support for the Windows 10 operating system by providing security updates to deployed Windows 10 devices as it works to move customers onto Windows 11 or newer operating systems.
The case for continuing to support software that runs hundreds of millions of devices globally is not hard to make. Right to repair advocates like US PIRG and the EU’s Restart Project note the irony that Microsoft’s end of life for Windows 10 coincided with International E-Waste Day – ironic because an estimated 400 million of the devices running Windows 10 cannot be upgraded to Windows 11, including an estimated 180 million Windows 10 systems deployed on business networks. The absence of a clear upgrade path will force their owners to buy new devices, or pay Microsoft for a temporary (one year) extension of support. Or, Windows 10 users can replace that operating system with an alternative operating system like Linux or Chrome. But should Windows 10 customers who cannot upgrade their hardware choose to throw it away, it could add up to 1.5 billion pounds of e-waste.
Cyber Risks Proliferate on End of Life Devices
But what of the Windows 10 device owners who choose the path of least resistance: simply allowing their Windows 10 device to continue operating, absent any patches or security updates? As the past decades have shown: that global population of tens- or even hundreds of millions of end-of-life Windows 10 devices will – over time – spawn exploitable software vulnerabilities and other cybersecurity risks: a playground for cybercriminal groups and nation-backed hacking crews.
Recent incidents make clear that the risk posed by “end of life” software on connected devices is real and not just hypothetical. In May, for example, researchers at Lumen’s Black Lotus Labs warned of a botnet consisting of thousands of residential and small business end-of-life (EoL) devices such as broad band routers. Lumen tracked malicious actors’ use of the botnet to serve as a proxy providing anonymity for malicious actors as they targeted victims in the United States, with Canada and Ecuador. That campaign was just one of many documented by Lumen and other firms in which malicious cyber actors specifically target devices with unsupported, end of life software running on them. There are also botnets like “Faceless,” which is made up of 40,000 end of life small office home office (SOHO) routers, or the KV-Botnet, which the China-backed actors Volt Typhoon have boosted by aggressively targeted IoT devices like end of life broadband routers and IP cameras to build out attack platforms used to target larger private firms, government agencies and critical infrastructure.
“Microsoft’s decision to stop providing free software security updates to the hundreds of millions of devices running its Windows 10 operating system will have devastating effects on public health and welfare,” said Paul Roberts, the President and co-founder of SRFF. “The tens of millions of Windows 10 devices that stop receiving patches will soon be fodder for cybercriminals, ransomware gangs and state-backed hacking groups who seek to carry out devastating attacks on businesses, governments and critical infrastructure.”
Microsoft: privatize the profit, ¯\_(ツ)_/¯ the risk
What is the solution? As we wrote last month, the launch of a global population of hundreds of millions of unpatched – and unpatchable endpoints is a boon for malicious cyber actors. It’s time to call out the severe public health and safety impacts of Microsoft’s decision – and the irony of a nearly four trillion dollar corporation erecting paywalls in front of security updates.
Join with SRFF as well as PIRG – The Public Interest Research Group – and others by adding your name to a letter urging Microsoft to reverse its decision to end support for Windows 10.
And, join SRFF’s larger campaign to erect common sense guardrails and business standards around decisions regarding the end of support and/or end of life for software and “smart” software-driven and Internet connected devices. SRFF launched a campaign to “abandon abandonware” and, in March, joined with Consumer Reports, PIRG and the Center for Democracy and Technology (CDT) to put forward the Connected Consumer Product End of Life Disclosure law, model legislation to promote new laws that protect consumers of smart, Internet-connected products from the financial and security impacts of vendors walking away from support of smart products.
By speaking with one voice about Microsoft’s responsibilities to its customers, and to the public good, we can convince the company to change course and continue offering support for its Windows 10 operating system, or by providing other means for the Windows community to continue to keep the software secure and up to date.
We hope you’ll join us in the fight to win a secure and resilient future!
Paul Roberts,
President, Secure Resilient Future Foundation