Windows 10 may be end of support, but Microsoft went out with a bang. The company has released its final update for Windows 10, delivering a record 173 security patches as part of the October Patch Tuesday. Among these, nine patches are rated as critical, with six addressing zero-day vulnerabilities that have already been exploited in the wild. This update marks the end of a decade of support for Windows 10, with all new features now reserved for Windows 11. The latest patches cover critical components such as the Windows kernel, Remote Desktop Protocol, and Microsoft Exchange Server. Notably, Microsoft had to remove a built-in driver to mitigate an active exploitation risk, highlighting the ongoing security challenges faced by users. As organizations transition to Windows 11, Microsoft continues to emphasize the importance of upgrading to the latest operating system for enhanced security and functionality.
And while on Windows security, Microsoft has taken significant measures to enhance the security of the Internet Explorer mode in its Edge browser following reports of hackers exploiting this legacy feature to gain unauthorized access to users’ devices. According to the Microsoft Browser Vulnerability Research team, attackers utilized social engineering techniques alongside unpatched exploits in Internet Explorer’s JavaScript engine to execute their attacks. The compromised process involved tricking users into visiting seemingly legitimate websites, where they were instructed to reload the page in Internet Explorer mode. Once activated, the attackers could leverage a vulnerability in the JavaScript engine to execute remote code and escalate their privileges, ultimately gaining complete control over the victim’s device. In response, Microsoft has removed easy access to the Internet Explorer mode, requiring users to enable it manually through browser settings, thereby creating a significant barrier for potential attackers.
Why do we care?
That’s not just a patch Tuesday; that’s a patch apocalypse. They even had to yank out a built-in driver mid-update because attackers were using it.
And while we’re talking about legacy pain, Microsoft had to lock down Internet Explorer mode in Edge. Hackers were tricking users into flipping on IE mode, then using a JavaScript exploit to take over machines. Now, if you actually need IE mode, you have to dig through settings to enable it manually.
The takeaway’s simple: legacy equals liability. Microsoft’s final patch was your warning shot — and it’s time to move.