Republished on November 28 with new reports suggesting that while Windows 10 end-of-support will impact 2025 PC sales, it will not fix the problem.
A stark reminder this week that 450 million Windows users must now act to ensure their PCs and data remain safe. Microsoft has provided a $12 billion solution to the problem, but it won’t protect everyone. Just make sure you’re not caught out.
On Tuesday, ESET published a report into a previously unknown Windows vulnerability that was chained with a similarly unknown browser vulnerability to successfully attack PCs. Both threats have now been patched, and Windows users need to ensure their PCs are now updated. But if your PC comes off support, this is exactly the kind of threat that you won’t be protected against.
There are still 850 million Windows 10 users—plus another 50 million on even older versions of the OS. Fortunately, around 450 million users have PCs that likely meet the technical hurdles to upgrade to Windows 11 and maintain support. That leaves 400 million Windows 10 users that need to act before Windows 10 support ends next October, plus those other 50 million, of course,
Microsoft has now famously offered a $30 one-time-deal to extend Windows 10 support by 12-months—a $12 billion windfall if all 400 million users unable to move to Windows 11 extend. There are also various workarounds to trick a PC without the required TPM 2.0 hurdle to upgrade to Windows 11. Plus there’s always the option to upgrade your hardware, and 2025 could be a good time to buy a new PC. Whatever option you choose, just make sure you pick one and maintain support. Microsoft’s current nags might be irritating, but they’re bugging you for a reason.
According to ESET, the “previously vulnerability in Windows, assigned CVE-2024-49039 with a CVSS score of 8.8,” enables arbitrary code to be executed as if being by the logged-in user. This use after free memory bug provides a pathway from the browser to the PC, triggered when the exploit-hosting website is visited.
This was chained with “CVE-2024-9680, with a CVSS score of 9.8, [which] allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser.” This Windows Task Scheduler flaw enables a sandbox escape, enabling an attack to schedule a malicious task to be executed.
In combination, “if a victim browses to a web page containing the exploit, an adversary can run arbitrary code–without any user interaction–which in this case led to the installation of RomCom’s eponymous backdoor on the victim’s PC.”
RomCom is a Russia-backed cyber threat group that targets businesses for financial gain as well as likely state-sponsored or at least state-induced espionage operations. Recent RomCom targets include Ukrainian government entities as well as various industrial sectors in the US and Europe, including insurance, pharma and energy.
This particular attack was built around a maliciously crafted website “that redirects the potential victim to the server hosting the exploit.” Once the exploit is downloaded, it executes code to open RomCom’s backdoor. This chain attack comprising two different vulnerabilities working in tandem is typical of what we see these days, which is why even seemingly niche or innocuous threats can be dangerous when used in combination with other known or unknown flaws.
ESET says that “from October 10, 2024, to November 4, 2024, potential victims who visited websites hosting the exploit were located mostly in Europe and America.” This attack was targeted, with up to a few hundred victims per country identified, but the threat itself has the potential to expand or to be provided to other bad actors.
“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction,” ESET says. “This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities.”
The cyber team also call out Mozilla’s exceptional pace in being able to release a fix in just 25 hours, “which is very impressive in comparison to industry standards.” Microsoft patched the Windows vulnerability in this month’s update.
Despite Microsoft’s decision to offer a paid 12-month support extension for Windows 10 users, analysts still expect a recovery in PC sales in 2025 driven by Windows 10 end-of-life. As reported by The Register, “the global laptop market is forecast to grow by 4.9 percent during 2025, but commercial upgrade cycles and the looming Windows 10 end of life are driving this rather than demand for AI-capable PCs.”
The analysts at TrendForce forecast 2025 recovery based on “reduced political uncertainty following the U.S. presidential election and the Federal Reserve’s rate cuts in September 2024, expected to stimulate capital flow. Combined with the end-of-service for Windows 10 and demand for commercial device upgrades, global notebook shipments are predicted to grow by 4.9% to 183 million units in 2025.”
This follows a 2024 “hindered by high interest rates and geopolitical uncertainties, [with] annual shipments are forecast to reach 174 million units, marking a 3.9% YoY increase… commercial notebooks faced headwinds in 2024 due to global layoffs and economic and political instability, leading to a more cautious demand environment.”
Simple math tells us that the 450 million PCs needing to upgrade will not be addressed by next October, leaving a huge number needing to pay $30 or fall off support. Most of the 2025 recovery is also expected to be within the enterprise market, which already knew there would be Windows 10 support options beyond next October and for more than just 12 months.”
This isn’t new. As Windows Central suggested in September, “generative AI isn’t pushing Microsoft Copilot+ PC sales — a dire need for future-proof upgrades coupled with Windows 10’s imminent death is.” With disappointing analyst reports on PC shipments through the third-quarter, it suggested “consumers are buying AI PCs because of their need to upgrade and purchase new devices, not for their sophisticated capabilities.” With attention turning to 2025 even then.
What hasn’t been factored into this is whether a misalignment of supply and demand, especially on the consumer side will drive growth. It certainly has the potential to drive good deals in the marketplace, with those users now having the new option of a support extension, meaning they can wait a while longer and benefit from new AI technology settling down and likely being priced accordingly.
Microsoft is now helping drive PC sales, interrupting users with nags to upgrade their systems before Windows 10 support expires. As annoying as this is, a successful hack would be worse. And for Microsoft, the prospect of hundreds of millions of Windows users no longer patching PCs must be a nightmare.
