Microsoft Hacking Warning—450 Million Windows Users Must Now Act

A stark reminder this week that 450 million Windows users must now act to ensure their PCs and data remain safe. Microsoft has provided a $12 billion solution to the problem, but it won’t protect everyone. Just make sure you’re not caught out.

On Tuesday, ESET published a report into a previously unknown Windows vulnerability that was chained with a similarly unknown browser vulnerability to successfully attack PCs. Both threats have now been patched, and Windows users need to ensure their PCs are now updated. But if your PC comes off support, this is exactly the kind of threat that you won’t be protected against.

ForbesChrome, Safari, Edge, Firefox Threats Surge 89%—Do These 5 Things NowBy Zak Doffman

There are still 850 million Windows 10 users—plus another 50 million on even older versions of the OS. Fortunately, around 450 million users have PCs that likely meet the technical hurdles to upgrade to Windows 11 and maintain support. That leaves 400 million Windows 10 users that need to act before Windows 10 support ends next October, plus those other 50 million, of course,

Microsoft has now famously offered a $30 one-time-deal to extend Windows 10 support by 12-months—a $12 billion windfall if all 400 million users unable to move to Windows 11 extend. There are also various workarounds to trick a PC without the required TPM 2.0 hurdle to upgrade to Windows 11. Plus there’s always the option to upgrade your hardware, and 2025 could be a good time to buy a new PC. Whatever option you choose, just make sure you pick one and maintain support. Microsoft’s current nags might be irritating, but they’re bugging you for a reason.

According to ESET, the “previously vulnerability in Windows, assigned CVE-2024-49039 with a CVSS score of 8.8,” enables arbitrary code to be executed as if being by the logged-in user. This use after free memory bug provides a pathway from the browser to the PC, triggered when the exploit-hosting website is visited.

This was chained with “CVE-2024-9680, with a CVSS score of 9.8, [which] allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser.” This Windows Task Scheduler flaw enables a sandbox escape, enabling an attack to schedule a malicious task to be executed.

In combination, “if a victim browses to a web page containing the exploit, an adversary can run arbitrary code–without any user interaction–which in this case led to the installation of RomCom’s eponymous backdoor on the victim’s PC.”

RomCom is a Russia-backed cyber threat group that targets businesses for financial gain as well as likely state-sponsored or at least state-induced espionage operations. Recent RomCom targets include Ukrainian government entities as well as various industrial sectors in the US and Europe, including insurance, pharma and energy.

This particular attack was built around a maliciously crafted website “that redirects the potential victim to the server hosting the exploit.” Once the exploit is downloaded, it executes code to open RomCom’s backdoor. This chain attack comprising two different vulnerabilities working in tandem is typical of what we see these days, which is why even seemingly niche or innocuous threats can be dangerous when used in combination with other known or unknown flaws.

ESET says that “from October 10, 2024, to November 4, 2024, potential victims who visited websites hosting the exploit were located mostly in Europe and America.” This attack was targeted, with up to a few hundred victims per country identified, but the threat itself has the potential to expand or to be provided to other bad actors.

“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction,” ESET says. “This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities.”

ForbesGoogle On Your iPhone Suddenly Changes—Do Not Click These LinksBy Zak Doffman

The cyber team also call out Mozilla’s exceptional pace in being able to release a fix in just 25 hours, “which is very impressive in comparison to industry standards.” Microsoft patched the Windows vulnerability in this month’s update.

Microsoft is coming under attack at the moment for interrupting PC users with nags to update their systems before Windows 10 support expires. As annoying as this might be, a successful hack would be worse. And for Microsoft, the prospect of hundreds of millions of Windows users no longer patching PCs must be a nightmare.