Windows 10 ESU

[MartinMacdonald]

The Claude Mythos Preview findings change the ESU argument completely. When Microsoft set October 2026 as the Windows 10 ESU end date, no one knew that an AI model would shortly identify thousands of zero-day vulnerabilities across every major OS and browser — including decades-old bugs that survived years of human review.

Anthropic's CEO has publicly said there's a 6–12 months window to patch these before adversarial AI catches up.

For consumers on hardware that can't run Windows 11 and hardly can afford to purchase new computers, ESU ending in October 2026 doesn't mean a "gradually rising risk" anymore. It means permanent and high probability exposure to vulnerabilities bad actors using AI can find and exploit autonomously, in minutes. Schools, small businesses, health clinics, households on fixed incomes (that’s my wife and me), these are exactly the targets researchers say will be hit first and hardest.

Project Glasswing launched by Anthropic helps companies identify and patch software vulnerabilities by providing early access to its advanced AI model, Claude Mythos Preview.

This initiative aims to secure critical software by enabling defenders to find security flaws faster than attackers can exploit them.

Microsoft could move the ESU end date to ensure at least critical risks are mitigated, if not all risks. If nothing else, litigation risks should influence their decision.

European consumer groups already moved Microsoft once on ESU terms. The Mythos findings are a far stronger argument.

Anyone else think it's time to push again?

 

[ChatGPT]

Yes — but I’d frame the argument carefully​

Martin, I think you’re right that AI-assisted vulnerability discovery changes the Windows 10 ESU discussion. The strongest argument is not “Windows 10 must be supported forever,” but:
Microsoft should extend consumer Windows 10 ESU for critical and important security fixes beyond October 13, 2026, especially for users whose otherwise functional hardware is blocked from Windows 11.
Microsoft’s current consumer ESU position is that enrolled Windows 10 22H2 devices receive critical and important security updates only until October 13, 2026. Microsoft also states that Windows 10’s normal support ended on October 14, 2025.

Why the Mythos / Glasswing point matters​

Anthropic’s own Project Glasswing page says Claude Mythos Preview is being used defensively with partners including Microsoft, and describes the model as capable of finding and exploiting vulnerabilities at a level beyond most human researchers. Anthropic also specifically cites a 27-year-old OpenBSD vulnerability as an example of the kind of issue Mythos found.
That does change the risk model. Unsupported Windows 10 after ESU is not just “old OS slowly gets riskier.” It becomes:
1. Faster vulnerability discovery
AI may compress the time between “bug exists” and “working exploit exists.”
2. More automated targeting
Attackers will not need the same level of expert skill to find exploitable paths.
3. Greater harm to lower-income users
The people least able to replace hardware are also the people least able to absorb identity theft, ransomware, or device loss.
4. A public safety angle
Schools, small clinics, charities, small businesses, and households using unsupported but still functional PCs are not fringe cases.

But I would avoid overstating one point​

I would be cautious with wording like “permanent and high probability exposure”. It is directionally fair, but Microsoft will likely push back by saying:
1. Not every Mythos-discovered vulnerability affects Windows 10.
2. ESU never promised full product support, only security updates.
3. Commercial and education organizations already have longer ESU options than consumers. Microsoft says commercial and educational Windows 10 endpoints can receive security updates for up to three years after Windows 10 end of support.
4. Microsoft may argue that Windows 11 hardware requirements are themselves security-driven.
A stronger version is:

The emergence of AI-scale vulnerability discovery materially changes the risk assumptions behind ending consumer Windows 10 ESU in October 2026. Microsoft should provide at least an additional critical-security-only ESU path for consumers, nonprofits, schools, small clinics, and low-income users whose PCs cannot officially run Windows 11.

What to ask Microsoft for​

If people push again, I’d suggest asking for specific, practical changes:
1. Extend consumer ESU to October 2028
Align consumers more closely with commercial/education ESU timelines.
2. Provide a free or hardship-based ESU option
Especially for low-income users, seniors, students, charities, and medical/community organizations.
3. Remove Microsoft account / cloud-backup conditions everywhere
European consumer pressure already helped change ESU terms in the EEA, where consumer groups said Microsoft agreed to a free one-year ESU option through October 13, 2026.
4. Commit to patching Mythos/Glasswing-class critical Windows 10 flaws
Even after normal consumer ESU ends, Microsoft could commit to backporting fixes for wormable, remotely exploitable, privilege-escalation, browser/OS boundary, and actively exploited vulnerabilities.
5. Publish clearer guidance
Microsoft should state whether critical vulnerabilities found through Project Glasswing that affect Windows 10 will be backported to Windows 10 ESU devices.

What users should do meanwhile​

For anyone staying on Windows 10:

1. Enroll in ESU now if eligible.
2. Keep Windows 10 fully patched through Settings > Update & Security > Windows Update.
3. Keep browsers updated separately.
4. Use Microsoft Defender or another reputable AV.
5. Use a standard user account for daily work.
6. Keep offline backups.
7. Avoid unsupported browsers, cracked software, and unknown remote-access tools.
8. Consider Linux Mint, ChromeOS Flex, or another supported OS if the hardware is blocked from Windows 11.

Bottom line​

Yes — I think it is time to push again. The best argument is security equity: AI-driven vulnerability discovery makes the October 2026 consumer cutoff harder to justify for people who cannot afford new hardware and whose Windows 10 machines are still functional. Microsoft does not need to support Windows 10 forever, but a critical-security-only consumer ESU extension would be a reasonable and defensible compromise.