End of support for Build 1909 leaves some Windows open to attack

Biannual Windows updates free IT staff from major updates, but some people prefer older builds of Windows, which leaves a gaping security hole

Microsoft will be ending service updates for Windows 10, version 1909, on 11 May 2021. Operating systems that will no longer receive updates after this date are Windows 10 Home, version 1909; Windows 10 Pro, version 1909; Windows 10 Pro Education, version 1909; and Windows 10 Pro for Workstations, version 1909.

On its website, Microsoft said: “These editions will no longer receive security updates after May 11, 2021. Customers who contact Microsoft support after this date will be directed to update their device to the latest version of Windows 10 to remain supported.”

According to data provided by Kaspersky, the usage share of Windows 10 Build 1909 among consumers and business is 15% globally. Its figures estimate that 14% of the UK remains on Build 1909.

Not everyone updates their OS

While some PC users may not wish to update Windows and some organisations have a very good reason to maintain a stable operating system (OS) build, the fact that Build 1909 will no longer be updated puts those people still running the software at risk of attack. This can happen when Microsoft issues a security patch for a supported operating system.

Kaspersky argues that the same level of vulnerability applies across all outdated operating systems. Users are under threat, no matter what unsupported OS they run.

“Updating your operating system might seem like a nuisance for many. But OS updates are not just there to fix errors, or to enable the newest interface. The procedure introduces fixes for those bugs that can open a gaping door for cyber criminals to enter”
Oleg Gorobets, Kaspersky

Oleg Gorobets, senior product marketing manager at Kaspersky, said: “Updating your operating system might seem like a nuisance for many. But OS updates are not just there to fix errors or to enable the newest interface. The procedure introduces fixes for those bugs that can open a gaping door for cyber criminals to enter.

“Even if you think you are vigilant and protected while online, updating your OS is an essential element of security that should not be overlooked, regardless of any third-party security solution’s presence. If the OS is obsolete, it can no longer receive these critical updates.

“If your house is old and crumbling, there is no point in installing a new door. It makes more sense to find a new home, sooner rather than later. The same attitude is needed when it comes to ensuring the security of the operating system you trust with your valuable data every day.”

Windows 10 receives a major update twice a year. Generally, each of these updates is supported for 18 months, after which time, Microsoft stops issuing patch updates.

But although this has made it much easier for people to receive regular OS updates, the challenge for the tech sector is that some people are reluctant to update their systems. There is always a risk that new releases may cause existing software to break.

For instance, the latest Patch Tuesday, released in April, removes support for RemoteFX vGPU 3D, due to a vulnerability identified by security researchers. The vGPU 3D feature made it possible for multiple virtual machines to share a physical GPU. While Microsoft has developed an alternative approach, clearly any organisations relying on this feature will be impacted.

For users who are less tech-savvy, regular OS updates may seem like an unnecessary, complex procedure, especially if their PC appears to be working just fine. 

Unless these people install the updates, however, hackers could exploit the Common Vulnerabilities and Exposures associated with monthly Patch Tuesday updates and biannual OS updates, to target older versions of the operating system, such as Build 1909.

The challenge for Microsoft and IT security professionals is balancing the risk of a security hole in a supported version of Windows being exploited with the risk of how the release of a patch could be exploited to attack those users still running unsupported systems.

“We have a strong commitment to security and a demonstrated track record of investigating and resolving reported vulnerabilities,” said a Microsoft spokesperson. “We follow an extensive process involving thorough investigation, update development for all versions of affected products, and testing for compatibility among other operating systems and related applications. Ultimately, developing a security update is a delicate balance between timeliness and best quality and the goal is to help ensure maximised customer protection with minimised customer disruption.”

Read more about Windows update

Read more on IT risk management

Data Center
Data Management