Kategorie

Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's  Authenticode signature. [...]

A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft's ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors. [...]

A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors. [...]

Google has released Gemini 2.5 Pro-powered Gemini CLI, which allows you to use Gemini inside your terminal, including Windows Terminal. [...]

Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition. [...]

When MS-DOS 5.0 was released in 1991, one of the big innovations was the MS-DOS Editor, a classic text editor that quickly became popular with users. Now, Microsoft has developed a new version of MS-DOS Editor called Edit, according to Ars Technica.

Compared to the original, Edit offers a number of improvements, including support for Unicode. In addition, the 300-kilobyte limit has been removed, meaning users can work with gigabyte-sized files if they want.

Edit was written in the Rust programming language and is based on open-source code. And it doesn’t require Windows to run; the text editor works just as well on macOS or Linux.

If you want to try Edit, it can be downloaded from Github.

Google subsidiary Deepmind has unveiled Gemini Robotics On-Device, a new version of the Gemini AI model meant to be used in robots and work without an internet connection. The new model reportedly supports natural language, making it easy to control the robot’s movements.

In terms of performance, Gemini Robotics On-Device performs almost as well as the connected Gemini Robotics, Techcrunch reports.

Developers interested in working with Gemini Robotics On-Device can download the Gemini Robotics SDK from Github.

New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. First disclosed by Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive. [...]

A recent vulnerability in Citrix NetScaler ADC and Gateway is dubbed "CitrixBleed 2," after its similarity to an older exploited flaw that allowed unauthenticated attackers to hijack authentication session cookies from vulnerable devices. [...]

“Stay on the right side of risk.” That’s what a new advertisement from Microsoft says, urging businesses and consumers to upgrade their Windows 10 PCs in the coming months. After all, Windows 10 will stop getting security updates in October. That’s now only four months away.

Microsoft has spent a lot of time talking about how wonderfully fast Windows 11 PCs are — especially its Copilot+ PCs, which are the focus of a major marketing campaign. However, as the clock ticks down to October, Microsoft is starting to shift from talking about the carrot (those performance improvements) to the stick (the security threats Windows 10 PCs will face).

But Microsoft has a weird history here — the company even patched major Windows XP threats years after officially ending support for that platform, repeatedly breaking its own update policy. That’s why it was no surprise when Microsoft announced a grand compromise a few weeks after I wrote the original version of this article: Consumers will be able to get that extra year of security updates for free (without the $30 fee).

To do so, they’ll just have to use Windows Backup to sync their settings to the cloud — or redeem 1,000 Microsoft Rewards points. That settings sync method is particularly easy, and it means all you have to do is sign into your personal Windows 10 PC with a Microsoft account and set up the syncing. The new options will be presented via an “enrollment wizard” in the Settings window. Businesses, however, will still have to pay.

So let’s look at what to expect, whether you’re managing a fleet of business PCs or you have a Windows 10 PC at home.

Got Windows 10 — or Windows 11? Sign up for my free Windows Intelligence newsletter. I’ll send you free copies of Paul Thurrott’s Windows Field Guides as a bonus, too!

What’s happening with Windows 10 today

First, a quick refresher: Microsoft will officially end support for Windows 10 on Oct. 14, 2025. After that date, Microsoft will stop issuing security updates for Windows 10 (at least, based on its current statements and guidance in that area).

Existing Windows 10 PCs will keep working, but they won’t get security updates. For a business, this is obviously a problem — just as it’s a big problem for home PC users.

Microsoft does have a solution for people who don’t want to upgrade immediately. It’s called Windows 10’s Extended Security Updates (ESU) program. You can pay a fee for up to three years of extra security updates. Individuals can only purchase one year’s worth of updates, however. Businesses will have to pay $61 per device for the first year, $122 device for the second year, and $244 device for the third year. Consumers can only get one year, and it’ll cost $30 — but Microsoft has now announced some easy ways to do that for free as a compromise, as mentioned a moment ago.

It’s worth noting that this applies only to typical editions of Windows 10. Microsoft also offers a Long-Term Service Channel (LTSC) of Windows to enterprises, which has a different software lifecycle. (In other words, the LTSC version of Windows 10 won’t stop getting security updates in October 2025.)

Windows 10 PCs are ramping up the messages about Windows 11 — and security warnings around sticking with Windows 10.

Chris Hoffman, Foundry

Will Microsoft change its mind?

While Microsoft has mostly plowed forward with its plans to ax Windows 10, the situation is a mess. We’ve never seen any version of Windows that was this popular right before it was exiting support. Microsoft doesn’t release information about Windows version usage, but third-party estimates put Windows 10 use at 53% of Windows PCs worldwide and 43% of Windows PCs in the US, specifically.

Microsoft initially said that it would immediately stop issuing security updates for Microsoft 365 subscription apps such as Word, Excel, and PowerPoint on Windows 10 after October 14, 2025. However, the company recently backpedaled: it now says Microsoft 365 apps will be supported with security updates through Oct. 10, 2028.

Additionally, Microsoft’s offer to sell an extra year of security updates to home PC users for $30 is new. It has never done this before. Previously, ESUs have only been for businesses. Microsoft can now shrug and say that people who want to keep using Windows 10 in a secure way have a way to pay for that security — at least for the first year. And they can even get it for free if they’re individual consumers!

I doubt we’ll see Microsoft cancel the big October deadline. In fact, Microsoft watered it down, offering a way to get on the ESU update path for free to consumers. I wouldn’t be shocked to see Microsoft offer a second year of ESUs as an option to home users if Windows 10 use remains high come October 2026, too.

This also helps Microsoft cover itself. Let’s say there’s a huge Windows 10 security problem and Microsoft executives are dragged in front of Congress to answer for it. They can say that they do offer security updates to consumers, but consumers have to sign up for it like any other service. That’s a better answer than, “We sell extended updates to businesses but not to consumers.”

The Windows XP lesson

If there is a huge security problem for Windows 10 PCs down the line, I would expect Microsoft to patch Windows 10, anyway. The company did this for Windows XP several times.

While Windows XP support ended in 2014, Microsoft released patches for Windows XP in 2017 (to patch WannaCry) and even in 2019 to prevent worms from exploiting a vulnerability. That was five years after Windows XP’s official end-of-life marker.

That doesn’t mean Windows XP machines were secure, exactly — but that Microsoft at least had an eye on blocking the worst threats that could take root on Windows XP systems and cause problems for the rest of the internet.

Don’t want to pay? You have options

Microsoft would prefer to nudge you into buying a new PC. That’s what that fee is all about: Microsoft wants people to see the $30 fee and decide it’s time to buy a new Windows 11 laptop after all. Or, at the very least, by signing in with a Microsoft account and syncing your settings, Microsoft wants you to start thinking about how easy a hardware upgrade would be. Microsoft’s marketing is performing a pincer move here: talking not just about the security risks of sticking with Windows 10 but the upgraded performance, battery life, and AI features of getting a new Windows 11 laptop. Microsoft wants businesses to see the steeply increasing fee and make plans to buy new hardware.

But you certainly don’t have to go down that road. If you have a Windows 10 PC you want to keep using, but with truly secure software at its core, you could keep it, ditch Windows and install a Linux distribution on it. You could also install Google’s ChromeOS Flex, a version of ChromeOS Google offers for existing PCs. Both are free.

There are also ways to upgrade some existing Windows 10 PCs to Windows 11, even if Microsoft says the upgrade isn’t “officially supported.” For a home PC, this is one way to keep getting security updates for an old Windows 10 PC — by bumping it up to Windows 11. Some PCs that are just below the hardware cutoff for Windows 11 will work great, while older PCs might not perform as well.

Additionally, you could instead consider 0Patch. That’s a company that creates security software designed to run in the background and use “micropatches” that block known security vulnerabilities from running. The service wouldn’t be free for Windows 10, but it is less expensive than most other options. And, for home users, it looks like it’ll be a way to keep getting a sort of security protection for Windows 10 after that first year.

I’ve spoken to the company, and they seemed eager to keep supporting Windows 10 for as long as it’s a good investment — they’re not eager to move on from Windows 10.

The Windows 10 PCs getting left behind

Let’s consider things from Microsoft’s perspective: Windows 10 was released on July 29, 2015, which means the operating system has had just over a decade of support. That same year, Google released the Nexus 6P with Android 6.0 Marshmallow. Google stopped supporting both the Nexus 6P and that version of Android back in 2018.

Windows 11 was released in October 2021, but most PCs released in 2019 to 2020 could upgrade to it — even many of those released in 2018 to 2019 might be able to do so, too.

The most realistic worst-case scenario here is that if you bought an older Windows 10 PC in 2019 and it can’t upgrade to Windows 11, you still got roughly six years of use from it. Also, if it’s that close to the cutoff, you likely can upgrade it to Windows 11, just through an “unofficial” upgrade method that Microsoft leaves open with a wink and a nudge.

Still, your Windows 10 PC’s long life is no consolation if you’re happy with your hardware and you feel like you’re having your arm twisted into upgrading when you’d rather not.

PCs are becoming so good that, assuming they boot and run well, it’s easy to treat them as an appliance. If you don’t feel like upgrading, why should you? After all, aren’t we supposed to be avoiding unnecessary e-waste? By avoiding the upgrade, you’re arguably helping Microsoft achieve its sustainability goals. Microsoft should thank you!

If your PC is so old that it can’t realistically be upgraded, though, Microsoft is right: Newer PCs are a lot faster, and even a budget-tier Windows 11 PC will deliver a much nicer experience. And between the “unofficial” way to upgrade to Windows 11, switching to desktop Linux, and Google’s ChromeOS Flex software, there are lots of paths forward for Windows 10 hardware that still has useful life left in it.

Want more in-depth Windows analysis and useful PC tips? Sign up for my free Windows Intelligence newsletter. I’ll send you three new things to try each Friday.

Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0. It has been described as a case of memory overflow that could result in unintended control flow and denial-of-service. However, successful exploitation requires the Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The French police have reportedly arrested five operators of the BreachForum cybercrime forum, a website used by cybercriminals to leak and sell stolen data that exposed the sensitive information of millions. [...]

Cybersecurity researchers have detailed two now-patched security flaws in SAP Graphical User Interface (GUI) for Windows and Java that, if successfully exploited, could have enabled attackers to access sensitive information under certain conditions. The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were patched by SAP as part of its monthly updates for January Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

SAP’s open-source energy management app, Power Monitor, shows how you could manage energy costs for your devices — and your Mac could help you do so.

Designed for business users managing large fleets, the app should also benefit consumers concerned about energy use. It’s a great example of a tool that does one useful thing well, which is track Mac energy use and calculate cost.

Who doesn’t worry about energy costs? They’ve risen steeply since 2020. That concerns people using Macs at home, but price is a major worry for larger enterprises managing hundreds of Macs in a challenging business environment. Managing energy also matters to larger enterprises struggling to adopt ISO 50001 energy management systems, and we know Apple understands energy use.

What is SAP’s Power Monitor?

Available via GitHub, Power Monitor is designed to help enterprise users get a handle on sustainability efforts. If you are someone who continues to cling to the faith that human impact on the environment is minimal, then Power Monitor does do something else useful, too – it calculates your energy costs. 

What’s neat about the app is that it provides you with this information in a very Apple-like way. Open it up and at a glance you’ll see your current system power in Watts, along with average power, highest peak power, and energy costs that day. You can also see how much CO2 has been emitted by the energy use of your Mac. You can access this information in the app or via the Menu bar.

The application requires you to enter your energy costs and can let you activate flexible energy tariffs for those with suppliers that charge different rates at different times of day. You gain a good, in-depth overview of the costs and consequences of Mac use.

Screenshot

Jonny Evans

When it comes to managed fleets, IT can poll this data from across their devices to gain excellent oversights into energy use. If you’re running a business that uses dozens, hundreds, or thousands of Macs, you’ll already know that this information can tangibly help manage costs. It’s the kind of information any graduate of the Apple-supported Clean Energy Procurement Academy needs sometimes.

What alternatives exist?

I’m sure there are other apps that deliver similar insights, but they seem hard to find. Those I did find either track use on a per-app basis (like Activity Monitor), or are tied to specific energy suppliers, which SAP’s app is not. The Home app will track electricity use across compatible HomeKit devices, but doesn’t track the cost of running your Mac or, weirdly, any other Apple device on the network.

I find it strange that, at a time of rapidly accelerating energy costs, finding an off-the-shelf solution to help manage those costs appears challenging. That should change, which is why I think Apple should Sherlock SAP’s Power Monitor app and provide this simple but useful tool within macOS. 

Why isn’t this a Mac feature already?

Why isn’t a feature like this already inside Macs?

Perhaps because people haven’t said they need it. Or maybe Apple just doesn’t want to remind people that using their Mac costs money? Potentially, it is because the most popular Macs work on battery power. There may be perfectly good reasons not to include a tool of this kind, but one more major reason Apple should do so is for bragging rights.

You see, we already know Macs deliver more performance per watt than other systems, thanks to the five-year-old move to Apple Silicon. What better way to show how that low energy promise translates into real economic benefit than by making it possible to track accurate performance/energy costs against the estimated costs per hour when using other platforms? 

Would you use Power Monitor?

Enterprises attempting to tally their carbon emissions to achieve compliance with national climate targets will eventually demand access to data of that kind. Why not make this information an operating system feature? And why not make this available across all Apple’s products, rather than only Macs? Do you think Apple should integrate a tool like this to help you manage your fleets?

I do.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Two new Chrome vulnerabilities have surfaced, and despite how often we hear about Chrome in the news, these bugs are not the kind we can afford to brush off. Both flaws target core components within Chrome''the V8 JavaScript engine and the Profiler function''and could hand attackers a direct line to exploit your systems. It's the kind of scenario no one wants: arbitrary code execution and potential system compromise just waiting to happen. As a result, Google has flagged both as high-severity issues.

Microsoft’s latest Windows 10 Extended Security Updates announcement reveals a telling double standard: while home users get multiple free pathways to maintain security beyond the October 2025 deadline, enterprises face the same expensive pay-or-migrate ultimatum.

The software giant announced in a blog post that individual consumers can secure an additional year of Windows 10 security updates for free, either through Windows Backup, or by redeeming 1,000 Microsoft Rewards points. They also have the option to access the updates by paying a $30 fee.

Meanwhile, businesses must still pay $61 per device for first-year coverage, with costs doubling annually thereafter, and there are no pathways to free access.

“ESU coverage for personal devices runs from Oct. 15, 2025, through Oct. 13, 2026,” Microsoft said in its blog post. But businesses? They’re still looking at the same three-year, escalating fee structure with no free alternatives.

Industry experts see Microsoft’s approach as strategic pressure rather than customer accommodation.

“This fee is a nudge towards Windows 11 and confirms that the vendor has a firm intention to see enterprise customers moving to Windows 11,” said Dario Maisto, senior analyst at Forrester Research.

Enterprise reality: Same expensive options, different messaging

Microsoft first launched its Windows 10 Extended Security Updates program in April 2024 with enterprise-focused pricing: $61 per device for year one, $122 for year two, and $244 for year three. Tuesday’s announcement doesn’t change those enterprise rates.

Business options remain available through the Microsoft Volume Licensing Program, with Cloud Service Provider partners able to sell commercial ESUs starting September 1. Maisto notes this timing “should ease the impact of these measures on the vendor’s cloud services revenue strategy.”

For organizations with 1,000 Windows 10 devices, Microsoft’s ESU program represents a $61,000 first-year commitment. A three-year ESU commitment totals $427,000, enough to purchase significant new hardware.

However, Maisto observes that “many organizations may rather pay the ESU subscription than make major investments in accelerating Windows 11 hardware refresh cycles,” particularly given current economic uncertainties and geopolitical volatility.

Current StatCounter data shows that Windows 10’s market share stands at 53% of the global Windows market, with Windows 11 at 43%. In enterprise environments, where hardware refresh cycles are longer, Windows 10 penetration often runs higher.

The strategic calculation and planning time

Sanchit Vir Gogia, chief analyst at Greyhound Research, warned that enterprises viewing ESU as a long-term solution are accumulating “strategic debt.” He noted that relying on ESU instead of refreshing devices may offer short-term budget relief but defers readiness for AI-era workloads.

However, Maisto pointed to a silver lining: “This additional time will give enterprises a breath to plan for Windows 11 adoption and do a proper risk assessment regarding security and compliance issues related to staying on Windows 10.”

Microsoft’s approach reflects calculated pressure: make staying on Windows 10 expensive enough to drive migration decisions, while offering consumers relief to avoid platform defection. The cloud exception for Windows 365 and Azure Virtual Desktop users proves Microsoft’s priorities — steering organizations toward higher-margin, recurring revenue streams.

Maisto noted that organizations are “trying to understand which scenario will materialize given the current geopolitical volatility,” with each organization taking “a different path depending on its risk appetite.”

Compliance gaps and enterprise risks

Extended Security Updates deliver only critical and important security patches. Even after paying $61 per device, IT departments won’t receive new features, non-security bug fixes, or technical support.

Gogia emphasized that ESU creates compliance risks beyond basic security. “Microsoft’s ESU program may keep vulnerabilities patched, but it doesn’t close the compliance gap,” he said. “Without support for evolving identity frameworks, telemetry, or zero-trust baselines, Windows 10 — even patched — is an aging platform.”

For regulated industries, the absence of advanced encryption support or newer multi-factor authentication integrations may result in failed audits. “Security updates alone do not equal a secure posture — especially in regulated sectors,” Gogia noted.

Maisto acknowledged this will “ease the pressure on organizations in these already turbulent times,” but warned each enterprise must conduct proper risk assessments when weighing ESU against immediate Windows 11 migration.

The cloud backup enterprise dilemma

Microsoft’s free consumer ESU option requires enabling cloud backup through Microsoft services — a condition that creates enterprise policy conflicts.

“Microsoft is not just offering patches — it’s offering them in exchange for cloud footprint expansion,” Gogia explained. The cloud backup requirement raises concerns for organizations managing complex data residency and encryption frameworks.

Many enterprise policies disallow external backups that bypass data loss prevention workflows. For regulated enterprises in healthcare and public infrastructure, defaulting to cloud sync may violate internal mandates.

Implementation complexity

Organizations evaluating ESU face complexity that consumer programs don’t address. Devices must run Windows 10 version 22H2, potentially requiring extensive patch management before ESU activation.

The enrollment process integrates with volume licensing systems rather than simplified consumer wizards. Enterprise IT teams must coordinate with procurement, legal, and finance departments for multi-year ESU agreements.

Most critically, Microsoft offers no technical support as part of ESU programs. Organizations paying premium prices still depend on community forums or expensive Microsoft consulting services for implementation issues.

Microsoft’s enhanced Windows 10 ESU program confirms that enterprises are expected to pay their way through the transition while consumers get multiple free options. The timing of Cloud Service Provider availability in September aligns with Microsoft’s cloud revenue strategy.

Both analysts agree the program serves Microsoft’s interests while providing enterprises limited relief. “It’s security with strings — and a subtle shift in monetization logic,” Gogia said.

For IT leaders, this represents both breathing room and continued pressure. While ESU provides time for proper Windows 11 planning and risk assessment, the escalating costs ensure that staying on Windows 10 becomes increasingly expensive each year, exactly as Microsoft intended.

Stability. Security. Practical, resource-conscious features. It's everything you'd want from a browser, especially when it's being deployed across systems that need predictable performance in production environments. Firefox 140 ESR (Extended Support Release) makes no attempt to dazzle with half-baked experiments or flashy new gimmicks''it's built to be stable, reliable, and secure for the long haul. This makes it an essential tool for Linux admins and infosec professionals who need more focus on functionality and operational efficiency than bleeding-edge features.

Thousands of personal records allegedly linked to athletes and visitors of the Saudi Games have been published online by a pro-Iranian hacktivist group called Cyber Fattah. Cybersecurity company Resecurity said the breach was announced on Telegram on June 22, 2025, in the form of SQL database dumps, characterizing it as an information operation "carried out by Iran and its proxies." "The actors Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra’s subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions inThe Hacker Newshttp://www.blogger.com/profile/[email protected]