🏫 Live on Oct. 21: How North Carolina secures K–12 schools with runZero Register Now

On This Page:

  1. Win10 on life support?
  2. How to find Windows 10 OSes with runZero
  3. Hungry for more brains?

Windows 10 EOL: A Winpocalypse just like Y2K

todb
|
Updated
Windows 10 Winpocalypse

The Winpocalypse is just like Y2K — in the sense that probably nothing will happen. But that's about where the comparison ends.

Kids these days seem to believe that Y2K was a bunch of nothing, and we all panicked at the prospect of the calendar switching over from 19xx to 20xx, when in the end, little actually happened. I, being an old, was there — and the panic was real. Furthermore, the work to prevent a widespread Y2K disaster was also real, and immensely expensive. I and my then-fiancĂ©e were both working in IT, and Y2K mitigation was on our radar since at least 1997. It was our primary focus for the last six months of 1999. So, yes, Y2K didn't trash society in the way people worried, but only because we spent billions of dollars and thousands of person-years of effort to avert catastrophe. You're welcome.

Now, we're nervously staring down the barrel of a new disaster for a new era, the end-of-life of Windows 10. Win10 goes EOL (end of life) on October 14, 2025, which is uncoincidentally next Microsoft Patch Tuesday. I spent some time discussing this in Undead by design, our new research report about EOL operating systems, and throw around terms like "Winpocalypse" and "Windogeddon" (I haven't decided which one is a better portmanteau) to describe life for IT administrators on October 15.

The thing, though, is that unlike Y2K, EOL doesn't mean instant crashes, breaches, or other big, obvious disasters. EOL creeps up on you. Unlike humans, computers don't just shuffle off this mortal coil when they go EOL; they persist, acting the same as they did before EOL day.

Problems start to crop up only when there's revealed a security issue with the EOL OS that the vendor decides not to patch. This might come as a research finding, or it might manifest as a zero-day attack. In the case of an zero-day on Win10, it might turn into a forever-day, if Microsoft decides, continuously, to withhold a fix for general deployment.

But the fact is, this worst-case scenario is unlikely to happen. Microsoft lives in the same world as us, and if something truly horrific pops off, I'm confident that a fix will be distributed. We saw this most dramatically with WannaCry, the weaponization of EternalBlue, which attacked SMBv1 the world over. While SMBv1 was an optional component of the then-newish Windows 10 OS, and the stable Windows 7, Microsoft also delivered a fix to the very-EOL Windows XP. Microsoft has, and can, definitely act after the deadline passes.

Win10 on life support? #

On top of this, there's reporting from Risky Business that Microsoft is offering Extended Security Updates (ESUs) for all European Windows 10 customers for free, personal and enterprise alike. While this offer still seems unofficial, it's likely true. This tells me it's possible for Microsoft to offer similar coverage for everyone if things go south.

Unfortunately, Windows 10 will still certainly go EOL on October 14. Right now, US customers are still on the hook for a $61 license for ESUs, and many are unlikely to bother until the disaster is already upon them.

I wouldn't be surprised if Microsoft backtracked even on this paid US offering at the last minute. It's hard to get people to pay for security software even in the best of times, because it's always a grudge buy, like car insurance or disaster recovery. Nobody actually wants insurance products or burglar alarms or backup tapes, but they buy these products because they feel they have no other choice. If Microsoft figures that the reputational cost of seeming to extort customers outweighs the cost of just extending support for everyone, they’ll back off. So, unlike with Y2K, we couldn’t negotiate with Father Time, but we can with Uncle Nadella.

It's important to note that being EOL, even with an ESU guarantee of critical security fixes, isn't a great place to be in. Microsoft very much wants to focus effort on Windows 11 and beyond, so it's likely that support for Windows 10 is already degraded; nobody in Redmond wants to spend time on merely mid-level security issues (either discovering them or fixing them) for a nearly-dead OS. This leads to a level of complacency that increases the day-to-day risk of running these barely-hanging-on OSes.

How to find Windows 10 OSes with runZero #

Hopefully, this blog post isn't news for you. If it is, you really need to act now. If you're a runZero customer, you can run a quick Asset check for Windows 10 with the straightforward query:

os:="Microsoft Windows 10%"

That'll give you a sense of how much of your infrastructure is about to hit Windows 10’s EOL deadline. Ideally, you've already started the process of upgrading, making sure your critical applications are compatible with Windows 11, or finding out if there are alternatives in case they’re not. The best time to act on all this was a year ago. The second best time is right now.

Not a runZero user? Fret not, the runZero Community edition is entirely free, ideal for home use and environments that have fewer than 100 assets. If you need more than that, you can upgrade your account.

So, while a dramatic end of the world scene is unlikely to play out at the stroke of midnight, just like what didn’t happen with Y2K, the challenge of working around Win10’s EOL will take some time and heroic effort on all our parts. Just like Y2K.

Ninja edit: By the way, the year 2038 is closer than you think! Just planting that there for now.

Hungry for more brains? #

We get it — once you’ve had a taste of insight, you’re starving for more. Feed that curiosity with a research report and live webcast, all about EOL!

Ungated EOL research report #

Undead by design

Check out "Undead by design" where the runZero research team benchmarks the prevalence of EOL assets across U.S. enterprises and uncovers the industries carrying the heaviest burden. Learn how unsupported systems quietly expand organizational risk and why defenders need visibility now more than ever.

Live webcast on October 15 #

Join us for a scary episode of runZero Hour with Rob King, Tod Beardsley, and EOL expert and technology necromancer, captn3m0 (pronounced “nemo”).

This episode will exhume:

  • runZero's new research report

  • The "Winpocalypse"

  • Why EOL OSes persist well beyond their best-by dates

  • And what IT teams can do to identify and protect decaying assets...before they rise with a taste for corruption

See you there!

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!.

Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
© Copyright 2025 runZero, Inc. All Rights Reserved