Microsoft is removing Windows 10 Home and Pro downloads from sale later this month. The downloads include licence keys for Windows 10 (necessary to activate and use the download), and are being removed more than two years before Microsoft stops officially supporting Windows 10 on October 14th, 2025.
Microsoft updated its Windows 10 product pages recently to note the January 31st cutoff date for sales, but it’s not clear how the company will treat similar downloads and license keys available from retailers like Amazon. We asked Microsoft to comment on Windows 10 license keys and downloads from third-party retailers, but the company only confirmed its own plans to remove its own sales.
“An update was made to the Windows 10 product page to ensure customers have the latest information on purchasing options for Windows 10,” says Amy Bartlow, Windows marketing director, in a statement to The Verge. “Customers have until January 31, 2023 to purchase Windows 10 Home and Windows 10 Pro from this site.” Microsoft is naturally recommending Windows 11 instead, and points out that Windows 10 will continue to be supported until its end of life in October 2025.
While Microsoft is winding down its own Windows 10 sales to consumers, it’s likely that Windows 10 license keys and even laptops and PCs with the OS preinstalled still be available from third parties for quite some time before Microsoft stops supporting the OS.
Microsoft originally launched Windows 10 in July 2015, with a focus on feedback and fast iteration. The OS followed Windows 8, which was widely criticized for removing the traditional Start menu and button and embracing a touch-first interface throughout. Windows 10 was also Microsoft’s first version of Windows to be run like a service, continuously updated and was even said to be “the last version of Windows” at one point.
“The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet. This vulnerability allows for remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system,” the researchers warned.
“If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done. Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.”
Although almost all ManageEngine products are vulnerable to the flaw, parent company Zoho was said to have already released a patch.
Using Shodan to search for unpatched endpoints, the researchers found “thousands” of vulnerable ManageEngine products, instances of ServiceDesk Plus and Endpoint Central.
Right now, there are no reports of CVE-2022-47966 being exploited in the wild, but if IT admins don’t patch the vulnerability on time, we can expect such reports to start pouring in sooner rather than later.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!