Connect with us

Gadgets

Make way for Windows 11? Windows 10 end-of-life is October 2025

Published

on

Enlarge / Please show your retired operating system the respect it deserves, with a proper Viking funeral.

A new Windows visual refresh, code-named Sun Valley. is on the way this summer. Until recently, we’ve assumed that this update would simply bring a new look for Windows 10 21H2—the major release of Windows 10 in the second half of 2021—but new information in the form of posted end-of-life (EOL) dates for Windows 10 and a leaked screenshot of something purporting to be “Windows 11 Pro” heavily imply that serious changes are on the way.

Windows 10 EOL in 2025

Rumors of Sun Valley being “Windows 11” have been circulating for months—but until recently, we didn’t put much stock in them. Windows 10 was intended to be Windows as a Service—a radical departure from the prior era of new, major Windows releases every three years or so. It seemed likely that Sun Valley’s “sweeping visual rejuvenation” would result in Windows 10 21H2 looking very different from Windows 10 21H1. Why fix what’s not broken?

The first strong indication that bigger things may be coming landed last week from a Microsoft-published EOL notice for Windows 10. “Windows 10 Home and Pro”—no codenames, no minor version numbers—is now listed as retiring on October 14, 2025. “Retiring” is a part of the Modern Lifecycle Policy and means that the retired product leaves support entirely; this does not follow the old Fixed Lifecycle Policy with “mainstream” and “extended” support. Retired is retired—hit the pasture.

As Windows Central points out, the retirement date isn’t entirely a new phenomenon—Microsoft initially launched the operating system with “mainstream support” through October 2020 and “extended support” through October 2025, the same five-/10-year-support period it provides for server and enterprise operating systems. What has changed is the way Microsoft talks about that end of support—there was no retirement date for Windows 10 as a whole shown on the home-and-pro life cycle page until recently.

There isn’t any real question about the end of life at this point—Microsoft has published it, and we have no reason to think it won’t happen. The interesting questions revolve around what comes next and when it will happen.

Windows 11 in 2021?

We’ve been seeing rumors about Sun Valley being a new Windows 11 for a few months—and until Microsoft posted a fresh EOL for Windows 10, we were skeptical. Windows 10 has been touted as “Windows as a Service” with no real expiration date for some time now, and there was no real reason to expect anything different.

The end-of-life date for Windows 10 as an entire operating system changes that—and it’s backed up by leaked screenshots of a Windows build claiming to be “Windows 11 Pro” which showed up today on Baidu. The new build is visually similar to the canceled Windows 10X, and its screenshots appear legitimate. (The Verge says it can “confirm they are genuine,” with no details as to how.)

What does a new version of Windows mean for me?

For now, it’s unclear what a new “Windows 11” means for end users—there are no guarantees that existing Windows 10 licenses will allow the use of Windows 11, let alone an in-place upgrade. We also have no concrete idea about when new releases of Windows 10 will cease, when the first Windows 11 will be available, or what costs will be.

We do have an educated guess or two, though—Microsoft’s generous upgrade policies from Windows 7 to Windows 10 (you can still upgrade for free today!) strongly imply a similar policy for 11, which Microsoft will presumably be keen to get users on. We also don’t expect under-the-hood changes as sweeping as the ones which took place between 7 and 10. In all likelihood, in-place upgrades will be available.

We’d also like to point out that the consumer support cycle for Windows 10 is short. For example, Windows 10 21H1—the most current build—is only supported through December 2022. That’s a roughly 18-month lifecycle, and there are no extended support policies for consumer Windows anymore. When it leaves support, you’re expected to upgrade to the next version if you want to continue getting support and bugfixes.

We may or may not see a Windows 10 21H2 or even a Windows 10 22H1. But we don’t expect to see a new Windows 10 build past 2023 at the latest since that would imply the need to support 10 past its October 2025 retirement date.

More details are on the way

If you find the lack of concrete detail here frustrating, you’re not alone. Fortunately, the wait won’t be long—Microsoft’s What’s Next for Windows digital event is coming June 24, and we expect plenty of screenshots, news, and more detailed upgrade guidance at that time.

Continue Reading

Gadgets

Feds list the top 30 most-exploited vulnerabilities. Many are years old

Published

on

Government officials in the US, UK, and Australia are urging public- and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other network-perimeter devices are patched against the most widespread exploits.

In a joint advisory published Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the top 30 or so most-exploited vulnerabilities. The vulnerabilities reside in a host of devices or software marketed by the likes of Citrix, Pulse Secure, Microsoft, and Fortinet.

“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the advisory stated. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”

What, me patch?

Four of the most-targeted vulnerabilities last year resided in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in work-from-home employees driven by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.

Discovery dates of the top 4 vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to withhold applying security patches. The security flaws include CVE-2019-19781, a remote code-execution bug in Citrix’s application delivery controller (which customers use to perform load balancing of inbound application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path-traversal weakness in VPNs made by Fortinet; and CVE 2020-5902, a code-execution vulnerability in the BIG-IP advanced delivery controller made by F5.

The top 12 flaws are:

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CVE 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 elevation of privilege
Netlogon CVE-2020-1472 elevation of privilege

Breaching the gate

The vulnerabilities—all of which have received patches from vendors—have provided the opening vector from an untold number of serious intrusions. For instance, according to an advisory the US government issued in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.

That same month, word emerged that a different set of hackers was also exploiting CVE-2018-13379. In one case, the hackers allowed ransomware operators to seize control of two production facilities belonging to a European manufacturer.

Wednesday’s advisory went on to say:

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.

The officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware: CVE-2021-21985

The advisory provides technical details for each vulnerability, mitigation guidance, and indicators of compromise to help organizations determine if they’re vulnerable or have been hacked. The advisory also provides guidance for locking down systems.

Continue Reading

Gadgets

Apple, AMD, and Intel shift priorities as chip shortages continue

Published

on

Enlarge / Sure, it’s cheaply produced clip art… but it’s also a disturbingly accurate picture of the current state of supply and demand in the semiconductor product market.

2021’s infamous chip shortages aren’t only affecting automakers. In a post-earnings conference call Tuesday, Apple CEO Tim Cook said, “We’ll do everything we can to mitigate whatever circumstances we’re dealt”—a statement that likely means the company will ration its chip supplies, prioritizing the most profitable and in-demand items such as iPhones and AirPods, at the expense of less profitable and lower-demand items.

CFRA analyst Angelo Zino told Reuters that Cook’s somewhat cryptic statement “largely reflects the timing of new product releases”—specifically, new iPhone releases in September. Counterpoint Research Director Jeff Fieldhack speculates from the flip side of the same coin, saying the company will likely direct supply chain “pain” to its least lucrative products. “Assuming Apple prioritizes the iPhone 12 family, it probably affects iPads, Macs, and older iPhones more,” Fieldhack said.

Processor manufacturer AMD has also been carefully managing its supply chain in response to pandemic-induced shortages. With flagship products that finally outperform rival Intel’s, AMD is focusing on the more profitable high end of the market while leaving the economy segment—until a few years ago, its strongest performer—to Intel. “We’re focusing on the most strategic segments of the PC market,” CEO Lisa Su told investors on a conference call.

Apple and AMD are two of semiconductor foundry TSMC’s largest customers—but the problem isn’t limited to TSMC. Intel, which operates its own foundries, acknowledges supply problems of its own. Intel CEO Pat Gelsinger told the BBC that shortages will get worse in the second half of 2021—and that it will be “a year or two” before supplies return to normal.

Gelsinger played up the importance of building new foundries, as Intel is currently doing in Arizona. But he warns that the foundries will take time to get up to speed and begin alleviating shortages—predicting “a year to two years until we’re back to some reasonable supply-demand balance.” This news arrives on the heels of a delay Intel announced this week for its forthcoming 7 nm process, now not expected until 2022.

In some ways, Intel may actually benefit long-term from the pandemic-related supply chain shortages. Although Intel is falling behind rivals AMD and Apple in both performance and power efficiency, the market can only move so far in the absence of supply.

With all vendors selling essentially every processor they can build, Intel’s long-standing ability to produce 80 percent of the world’s x86 desktop CPUs and 90 percent of x86 data center CPUs cements its place in the market—for now—despite ceding performance crowns to its rivals.

Continue Reading

Gadgets

Here’s what that Google Drive “security update” message means

Published

on

“A security update will be applied to Drive,” Google’s weird new email reads. A whole bunch of us on the Ars Technica staff got blasted with this last night. If you visit drive.google.com, you’ll also see a message saying, “On September 13, 2021, a security update will be applied to some of your files.” You can even see a list of the affected files, which have all gotten an unspecified “security update.” So what is this all about?

Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a “get link” option (where anyone with the link can access the file). The “get link” option works the same way as unlisted YouTube videos—it’s not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Along with Drive, Google is also changing the way unlisted YouTube links work, and the YouTube support page actually describes this change better than Drive does:

In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven’t shared the link with them.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn’t affect links you’ve shared in the past, and soon Google is going to require your old links to change, which can break them. Google’s new link scheme adds a “resourcekey” to the end of any shared Drive links, making them harder to guess. So a link that used to look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/” will now look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w.” The resource key makes it harder to guess.

If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you’ll see a button on the right to remove or apply the security update. “Applied” means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while “removed” means the resourcekey isn’t required and any links out there should keep working.

Google's "impacted files" interface. Feel free to add or remove that security update.

Google’s “impacted files” interface. Feel free to add or remove that security update.

YouTube already went through this process earlier in the month, with all unlisted links before 2017 going dead, unless the owners of the videos are still active on YouTube and opted out. Drive is doing this with a bit more finesse than YouTube, though. Thanks to account-based sharing, anyone who accessed your unlisted Drive links in the past will still be granted access to them, even if you upgrade the security. No new people will be able to access the old, upgraded link, though. This way, if you have a stable community that uses an unlisted file, it should mostly be able to keep on trucking. Any new members, however, will be locked out and will need to request access. If you don’t want this, at any point the owner of the file can hit the “share” button and change the settings to generate a new link or turn off the link altogether.

Not letting third parties create a list of all your unlisted files is a good thing, but don’t confuse this link change with any actual security. You should never share anything over the “unlisted” or “get link” features on YouTube, Drive, or Google Photos if you actually want it to be private. Secret links are just security through obscurity, and even with Google’s upgrades, they should not be considered secure or undiscoverable. This arrangement is totally fine for casual documents, but always assume that anyone in the world can read an “unlisted” file. If you’re OK with that, fine. But if not, use Google’s actually private account-based sharing options.

Continue Reading

Trending