Free support ends October 14, 2025; new KB5063709 unlocks Extended Security Updates enrollment to keep critical patches flowing through October 2026.

Microsoft is warning Windows 10 users that free security updates end on October 14, 2025. A new cumulative update, KB5063709, enables a built-in enrollment flow for the Extended Security Updates (ESU) program, offering another year of fixes to October 13, 2026. Edge and WebView2 will still receive updates on Windows 10 until 2028.

With less than two months before Windows 10 reaches end of support, Microsoft has issued a final security warning: after October 14, 2025, no more free fixes. A fresh update, KB5063709, now exposes an “Enroll in Extended Security Updates” option inside Windows Update to help users secure one more year of patches.

• End of free support: Windows 10 (22H2) stops receiving free security updates on Oct. 14, 2025.
• Bridge program: Microsoft’s Consumer ESU extends security fixes to Oct. 13, 2026; enrollment is now available from Settings after installing KB5063709.
• Browser exception: Microsoft Edge and WebView2 Runtime will keep updating on Windows 10 through at least Oct. 2028—even if you don’t buy ESU.
• Scale: Windows 10 still represents roughly 43% of active Windows desktops worldwide (Statcounter, July 2025).

“After October 14, 2025… Microsoft will no longer provide security updates or fixes.” — Microsoft support page. Microsoft Support

“KB5063709… includes a fix for a bug that prevented enrollment in extended security updates.” — BleepingComputer (Aug. 12, 2025). BleepingComputer

“Edge and the WebView2 Runtime will continue to receive updates on Windows 10… until at least October 2028.” — Microsoft Edge lifecycle. Microsoft Learn

A separate storyline continues to roil the transition: a California lawsuit alleges Microsoft set the 2025 cutoff to push AI-ready PCs; Microsoft points to ESU as a safety net, but litigation underscores user anxiety about older, ineligible hardware.

What’s changing on Patch Tuesday:

• KB5063709 (Aug. 2025): Required to expose the ESU enrollment UI under Settings → Update & Security → Windows Update. It also resolves the enrollment-wizard crash and rolls in July’s security fixes (including one zero-day).

Enrollment mechanics (consumer ESU):

• Prereqs: Windows 10 22H2, admin rights, and Microsoft account sign-in (local accounts are not supported for ESU).
• Cost options: $30 one-year ESU, 1,000 Microsoft Rewards points, or free if you enable OneDrive settings sync—all visible in the built-in wizard after KB5063709.

Risk surface if you skip ESU:

• Unpatched remote code execution and privilege-escalation flaws accrue monthly across the kernel, Win32k, networking stack, printing, and driver ecosystems. Even with a supported browser, OS-level exposures (SMB, RPC, LSA, Credential Guard bypasses) remain unmitigated. (Derived from Microsoft monthly CVE cadence; see KB5063709 advisory context.)

Mitigations checklist (if you must remain on Windows 10):

1. Enroll in ESU and keep Windows Defender/EDR signatures current.
2. Harden attack surface: disable legacy protocols (SMBv1), restrict RDP, enforce LSA protection, and require smartcard/Windows Hello where possible. (General guidance aligned with Microsoft security baselines.)
3. Application control: enable ASR rules and Smart App Control-equivalents; prefer standard user rights.
4. Network containment: segment legacy Windows 10 devices; use firewall allow-lists and zero-trust access.
5. Browser updates: keep Edge/WebView2 current; isolate risky web apps in Application Guard where available.

Impact & Response

Who’s affected: Home users, SMBs, schools, and agencies still running Windows 10—hundreds of millions of devices globally. Statcounter shows Windows 10 usage near 43% in July 2025, meaning a large residual population will face patch gaps without ESU.

Actions to take now:

• Install KB5063709, then open Windows Update → Enroll in Extended Security Updates and choose a plan.
• Plan upgrades to Windows 11 24H2+ or supported alternatives; Microsoft reiterates Oct. 2025 as the firm cutoff for free updates.

Long-term implications: Expect shrinking driver/app support and rising exploit availability on unpatched systems, even as browsers continue to update through 2028.

Background

Microsoft set Windows 10 22H2 as the final feature version and has repeated the Oct. 14, 2025 deadline since 2023–24 guidance. ESU is designed as a temporary bridge, not a multi-year extension. Browser support to 2028 offers partial protection, but it does not replace OS security hardening.

• “ESU buys time—but not immunity. Treat it like a controlled exit ramp: enroll now, apply strict hardening (kill SMBv1, lock down RDP, enforce LSA protection), and move critical workloads to supported platforms within 12 months. The cost of delaying migration will be paid in incident response.” — El Mostafa Ouchen, cybersecurity author & practitioner.
• Microsoft (support notice):
  “After October 14, 2025… we will no longer provide security updates or fixes.”
• BleepingComputer (on KB5063709):
  “The update… fixes a bug that prevented enrollment in extended security updates.”
• Microsoft Edge team (lifecycle policy):
  “Edge and WebView2 will continue to receive updates on Windows 10 until at least October 2028.”

Conclusion

Microsoft’s warning is unambiguous: Windows 10’s free patch era ends on October 14, 2025. The KB5063709 + ESU path is a short-term safety measure to October 2026, not a strategy. Organizations and households should enroll if needed—but prioritize upgrading or retiring Windows 10 endpoints to reduce exposure as exploit pressure rises.

New CVE-2025-8671 technique bypasses Rapid Reset defenses; patches rolling out for Tomcat, Netty, F5 as vendors coordinate with CERT/CC.

A newly disclosed HTTP/2 vulnerability dubbed “MadeYouReset” (CVE-2025-8671) lets attackers overwhelm websites and APIs by tricking servers into resetting their own streams—evading many Rapid Reset mitigations from 2023. Researchers at Tel Aviv University coordinated disclosure with CERT/CC as major vendors issued fixes and advisories. No in-the-wild abuse has been observed so far.

A protocol-level weakness in HTTP/2 is exposing popular servers to large-scale denial-of-service (DoS) attacks, security researchers warned this week, prompting a coordinated vendor response and emergency patches across web infrastructure stacks worldwide.

What’s new: Researchers Gal Bar Nahum, Prof. Anat Bremler-Barr, and Dr. Yaniv Harel detailed MadeYouReset, a technique that bypasses the built-in HTTP/2 concurrency limit by coercing servers to issue RST_STREAM resets themselves, allowing effectively unbounded parallel work on the backend. CERT/CC assigned umbrella CVE-2025-8671, with product-specific CVEs for affected stacks (e.g., Apache Tomcat CVE-2025-48989; F5 BIG-IP CVE-2025-54500; Netty CVE-2025-55163).

Who’s affected / vendor status:
CERT/CC lists multiple impacted implementations and patch guidance. Tomcat users should upgrade to 11.0.10, 10.1.44, or 9.0.108. Varnish released fixed builds (7.7.2, 7.6.4, 6.0.15) and documents a temporary HTTP/2 disable switch as a mitigation; Akamai says its HTTP/2 stack was not vulnerable; Cloudflare reports existing Rapid Reset defenses also neutralize this variant on its edge.

• “It lets an attacker create effectively unbounded concurrent work on servers,” said discoverer Gal Bar Nahum.
• CERT/CC notes the bug “exploits a mismatch … resulting in resource exhaustion.”
• Cloudflare says MadeYouReset “only impacts a relatively small number of HTTP/2 implementations.”
• Akamai reports “no live attacks … have been observed” and credits coordinated disclosure before disruption.

Technical analysis — how “MadeYouReset” works

Concept: Rapid Reset (CVE-2023-44487) abused client-sent RST_STREAM to cancel streams faster than servers could stop backend work. MadeYouReset achieves the same outcome without the client sending RST_STREAM—it provokes the server to issue RST_STREAM by injecting carefully timed control-frame violations after a valid request has begun processing. Because the stream is “closed” from the protocol’s perspective, it falls out of MAX_CONCURRENT_STREAMS accounting while backend computation continues, enabling near-unbounded concurrency on a single connection.

Observed “primitives” that force server-sent RST_STREAM (examples):

• WINDOW_UPDATE with increment = 0 (illegal) or a value that overflows the 2³¹−1 window cap.
• PRIORITY frame with invalid length or self-dependency.
• HEADERS/DATA frames sent after END_STREAM on a half-closed stream.
  These protocol misuses are syntactically valid at the frame level but semantically invalid in sequence, causing the server to reset the stream after work has started—bypassing client-RST counters deployed post-Rapid Reset.

Affected stacks / CVEs (early list): Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163); vendor matrices continue to update under CERT/CC VU#767506. Imperva’s write-up also notes impacts for Jetty and IBM WebSphere in some configurations.

Why defenses failed: Many 2023 mitigations rate-limited client RST_STREAM frames. MadeYouReset sidesteps those counters by ensuring the server emits the resets, keeping the client’s RST_STREAM count at zero. Robust implementations also short-circuit backend work on error; vulnerable ones allow work to continue, creating a request/stream-accounting mismatch attackers can amplify.

Impact & response

• Exploitation: As of Aug. 15, no active exploitation has been observed, but the attack is practical and PoC behaviors have been demonstrated in research labs. Operators should patch preemptively.
• Potential blast radius: High-traffic APIs, reverse proxies, app servers, and CDNs that terminate HTTP/2 and forward to heavy backends are most at risk of CPU/memory exhaustion or, in some stacks, OOM crashes.
• Coordinated disclosure: Researchers notified vendors in late May; public disclosure Aug. 13–14 with vendor guidance consolidated under CERT/CC VU#767506.

Mitigations (what to do now)

1. Patch/upgrade:
   • Tomcat → 11.0.10 / 10.1.44 / 9.0.108.
   • Varnish → 7.7.2 / 7.6.4 / 6.0.15 (Enterprise 6.0.14r5).
   • Rust h2 crate (used by Pingora, etc.) → ≥ 0.4.11.
   • Track vendor advisories for F5 BIG-IP, Netty, Jetty, WebSphere, etc. via CERT/CC VU#767506.
2. Protocol-level hardening (for implementers/operators):
   • Reject malformed/ill-timed frames early (e.g., WINDOW_UPDATE=0, window overflow, invalid PRIORITY length; HEADERS/DATA after END_STREAM).
   • Enforce strict stream-state checks so backend work is aborted on stream errors, not just response transmission.
   • Rate-limit connection-level protocol errors and server-sent resets, not just client RST_STREAM counts.
3. Operational safeguards:
   • Autoscale front-ends; monitor RST_STREAM/GOAWAY error rates and per-connection protocol-error churn as an attack signal.
   • Temporary fallback: where patching is not immediately possible, disable HTTP/2 on vulnerable edges (ALPN remove h2) while maintaining TLS—last resort due to performance impact.

Background

Rapid Reset (CVE-2023-44487) triggered record-setting L7 DDoS in 2023 and catalyzed stream-reset rate-limits across the industry. MadeYouReset is a server-triggered variant that defeats those client-side counters. Akamai says HTTP/3 has not seen an analogous widely-exploitable variant to date due to QUIC’s different stream management.

Conclusion

MadeYouReset underscores how spec-compliant edge cases can be weaponized when implementation details diverge from protocol assumptions. Expect further protocol-abuse research and defensive telemetry around server-sent resets. Teams should patch now, tighten frame validation and state-machine enforcement, and expand detection beyond client-initiated resets.

Sources: The Hacker News report; CERT/CC VU#767506; Cloudflare analysis; Akamai blog; Imperva technical write-up; Varnish advisory. The Hacker NewsCERT Coordination CenterThe Cloudflare BlogAkamaiImpervadocs.varnish-software.com

OpenAI’s chief, Sam Altman, warns that artificial intelligence could soon unleash an era of “information chaos,” threatening trust, truth, and global cybersecurity stability.

Society Is Not Ready: Altman Warns of AI-Driven Fraud Crisis

By an International Correspondent

In a chilling assessment of what lies ahead, OpenAI CEO Sam Altman has cautioned that society is on the brink of a sweeping fraud crisis driven by artificial intelligence. Speaking candidly at a recent technology forum, Altman said the power of AI to replicate human voices, images, and writing has surpassed all previous expectations—posing one of the greatest threats to truth and trust in the digital era.

“We’re heading into a world where you won’t be able to believe anything you see or hear online,” Altman warned. “We’re not ready. Society is never ready for these disruptions, and the window to prepare is closing fast.”

Altman’s remarks come at a time when deepfake technology, synthetic media, and generative AI tools like ChatGPT and DALL·E are becoming increasingly accessible. Experts fear these tools could be weaponized by scammers, foreign intelligence, or rogue actors to impersonate individuals, forge official communications, and erode the very fabric of digital credibility.

The Age of Synthetic Deception

What was once a dystopian warning has now become a technical reality. AI-generated audio can perfectly mimic voices after just a few seconds of sample input. Image generators can fabricate realistic photographs of people who don’t exist. Text-based AI systems can compose emails, fake legal notices, and generate social media posts that are indistinguishable from human writing.

According to cybersecurity experts, this convergence of technologies creates fertile ground for identity fraud, phishing campaigns, political manipulation, and fake news proliferation on a scale never before imagined.

“We are looking at a new era of fraud—one that’s automated, convincing, and almost impossible to trace in real-time,” said Nina Schick, a deepfake researcher and author of “Deepfakes: The Coming Infocalypse.”

Crisis of Trust in the Digital Age

Altman emphasized that one of AI’s most dangerous side effects will be the erosion of societal trust. In an online environment where anyone can be impersonated, and anything can be faked, public confidence in digital communications—and even democratic institutions—could collapse.

“It’s not just about individual scams,” Altman added. “It’s about the larger implications of not knowing what to believe. That’s a foundational threat.”

Already, reports of AI-powered fraud are increasing. In one 2023 case, a Hong Kong-based firm lost $25 million after a scammer used AI to replicate a CFO’s voice in a video call. In another, fake AI-generated images of global leaders triggered international tensions before being debunked.

Calls for Urgent Regulation and Public Awareness

Altman called for urgent global cooperation to establish ethical and technical guardrails before AI-generated fraud becomes uncontainable. He also urged tech leaders, lawmakers, and civil society to invest in authentication technologies, digital literacy, and watermarking systems to verify real content.

“The future isn’t written yet,” Altman said. “But we must act now—because if trust goes, everything goes.”

As the world races to embrace AI’s promise, Altman’s warning underscores a growing dilemma: how to harness the power of AI while protecting humanity from its darkest potentials.

Source:
Remarks by Sam Altman, CEO of OpenAI, as reported by The Guardian, Time, and OpenAI.com.