Windows 10 end-of-life security reality check
Davey Winder explains how vulnerable you’ll be if you decide to carry on using Windows 10 past its sell-by date
Windows 10 is not yet an ex-Windows. It is not preaching to the choir eternal, and it has not ceased to be. Yet, it will soon become as dead as the parrot in that famous Monty Python sketch. So what will this mean in terms of the security of your data?
Dates and details are important. Windows 10 Home and Professional 21H2 won’t get any more security updates, having hit end of support on June 13 2023. Organizations running Education and Enterprise versions have until June 11 2024.
If you’ve updated to version 22H2 then security updates will continue until October 14 2025. Note that this applies to all versions, including Education and Enterprise.
RUNNING WINDOWS 10
AFTER OCTOBER 14 2025
The security implications of continuing to use a legacy version of Windows long after the security updates have stopped are best illustrated in one word: WannaCry. The May 12 2017 worm was spread using a vulnerability within the Microsoft Windows server message block (SMB) protocol—a vulnerability that had been patched two months prior. Organizations that hadn’t yet patched, or couldn’t patch as they were running unsupported versions of Windows, were most exposed.
Recent research revealed that 76 percent of the vulnerabilities used in ransomware attacks in 2022 were at least three years old. The oldest dated from 2012. These were not all Windows vulnerabilities, of course, but it does stress the importance of keeping up to date with patching.
While there’s no such thing as absolute security, there is a spectrum of better to worse, and end-of-life software swings you heavily towards the latter. Unpatched vulnerabilities spring to mind, but collateral damage also comes into play. Not least, compliance issues in regulated industries, legal liability if a breach can be shown to come back to an unsupported system, and even the likes of Cyber Essentials Plus certification not being available, which could swing your customers away to competitors.
REAL-WORLD SECURITY
MITIGATIONS
The requirement for a TPM 2 chip to run Windows 11 means that a lot of older hardware isn’t up to the job, and upgrading large numbers of machines is not an option for some businesses. However, most new computers will be compliant, and there aren’t too many UI issues when switching from 10 to 11— certainly not as many as when switching from XP to 7, for example.
When it comes to the remaining mitigations, these can be split into three groups: high-cost, wing and a prayer, and practical.
The high-cost option will be if Microsoft offers extended support.
This has been the norm historically, and while there’s no guarantee that it will happen with Windows 10, I’d be extremely surprised if it didn’t. I’d be equally surprised if the cost wasn’t enough to bring a tear to any finance director’s eye—a cost that increases with every year it’s renewed. Migrating to Windows 11 will likely sound cheap by comparison.
Then there’s the wing and a prayer option, by which I mean the simple fact that Microsoft has a history of releasing “emergency” security updates for unsupported software when the circumstances are severe enough: WannaCry patches for XP and Vista in 2017, PrintNightmare patch for Windows 7 in 2021. The problem is that for each of these critical situations, there are hundreds of critical and high-rated vulnerabilities that will go unpatched. Relying on out-of-band emergency updates doesn’t make for a workable security policy.
PRACTICAL MITIGATIONS?
This brings us nicely to the answer for most people, most of the time: the practical mitigations. Faced with criminal actors who will be actively looking to exploit unpatched Windows 10 vulnerabilities, there are numerous things you can do to mitigate the risk of your legacy machines. You will likely only need legacy support for specific software needs, so run those within a virtual environment where possible. If it’s a matter of specialist hardware that can’t be run virtualized, then look to network isolation instead.
You might also want to consider third-party patch providers. These tend to fall into two camps: virtual patching and micro-patching. The former has the advantage of speed, as it applies an additional security layer using pattern-matching to spot known vulnerabilities. This is also a weakness if the attacker obfuscates that vulnerability pattern. Micropatching, the best-known example being 0Patch for Windows, acts like a traditional vendor patch, correcting the vulnerable executable code. 0Patch often releases patches before an official Microsoft patch is available.
Let’s conclude things with a reality check: the best risk mitigation is to upgrade to the latest Windows operating system.