InfoQuest Consulting LLC

05/12/2026

GhostLock Tool Leverages Windows API to Lock File Access Like Ransomware

Traditional ransomware disrupts organizations by encrypting data and demanding payment for decryption keys.

However, a newly disclosed technique called GhostLock demonstrates a fundamentally different availability attack that achieves the same business disruption without writing a single encrypted byte to disk.

Discovered by Kim Dvash, an Offensive Security Team Leader, GhostLock exploits standard Windows file-sharing behavior to cause widespread accessibility failures.

By systematically holding files in an exclusively locked state, a low-privileged domain user with standard read access can paralyze corporate Server Message Block (SMB) file shares. From the victim’s perspective, the impact is identical to a ransomware infection.

Critical files become inaccessible, enterprise resource planning applications crash, and shared workflow pipelines fail, requiring specialist intervention to restore operations.

The technique exploits a fundamental, well-documented behavior of the Windows operating system. By invoking the CreateFileW API with dwShareMode set to 0x00000000, any authenticated domain user can acquire an exclusive deny-share handle on a file over SMB.

This forces a STATUS_SHARING_VIOLATION (0xC0000043) error for every other process or network client attempting to open that file for any purpose, including read, write, or delete until the handle is voluntarily closed or forcibly terminated by a storage administrator.

The attack surface is not new. CreateFileW with dwShareMode = 0 is the same mode Microsoft Office uses when it opens a document for editing a behavior that has existed since Windows NT 3.1. No CVE has been filed because there is no software defect to patch.
GhostLock Attack Exploited

GhostLock implements this single API call through a Python ctypes wrapper requiring no administrative rights and no external dependencies.

To scale across an enterprise NAS, it employs a 32-thread parallel work-stealing scanner that parallelizes SMB2 QUERY_DIRECTORY round-trips, reducing file discovery on a 500,000-file share from over 61 minutes to approximately 6 minutes and 22 seconds.

During a 60-second hold period, victim simulations recorded a 99.8% file access block rate. A single SMB session can hold up to 64,000 exclusive handles simultaneously; with ten parallel sessions, an attacker can exceed 500,000 locked handles sufficient to paralyze a significant fraction of an entire enterprise NAS deployment.

What makes GhostLock particularly dangerous is its complete evasion of every conventional ransomware defense layer. The paper evaluated the tool against seven enterprise security control categories:

Honeypot/canary files produced zero alerts — canaries trigger on write events, and GhostLock performs no writes.
Write-rate anomaly detectors produced zero alerts — the metric they monitor (write operations) is simply absent.
Behavioral AI ransomware engines produced zero alerts — GhostLock’s read-open profile is indistinguishable from a search indexer or backup pre-scan agent.
Commercial EDR agents produced zero alerts — the system call profile mirrors Microsoft Word opening documents.
NDR/deep packet inspection produced zero alerts — SMB2 traffic showed only CREATE and CLOSE requests, identical to normal document access.
SIEM correlation rules produced zero alerts — no existing ruleset monitors per-session exclusive handle accumulation.

The only reliable detection signal exists inside the NAS management layer itself: the per-session count of simultaneously held exclusive handles.

The paper notes that a legitimate single-user application rarely holds more than a few dozen exclusive handles at once, while GhostLock accumulates tens of thousands, but this metric is not ingested by any enterprise SIEM reviewed in the research.

Even after detection, recovery is not straightforward. Terminating the offending SMB session requires storage administration expertise, and in most large enterprises, the storage operations team and security operations team operate independently without pre-built joint runbooks.

The estimated mean time to recovery in tabletop exercises without a pre-built runbook was 4 to 8 hours.

Notably, if the attacker’s Active Directory credentials are revoked, the existing authenticated SMB session and all its locks can persist for an additional 15 to 60 minutes before session timeout, depending on platform configuration.

Dvash calls on NAS vendors to expose per-session exclusive-handle counts as standard security telemetry alongside existing syslog outputs, and urges SIEM vendors to build storage platform integrations that ingest this data.

For immediate defensive action, the paper recommends alerting on any single SMB session accumulating more than 500 exclusive handles, implementing an NDR rule for bulk SMB CREATE requests with zero corresponding WRITE operations over a 30-minute window, and establishing a joint SecOps/StorageOps runbook specifically for NAS session termination.

GhostLock demonstrates a fundamentally different availability attack that achieves the same business disruption without writing a single encrypted byte to disk.

05/11/2026

How to Protect Your Linux Systems from "Dirty Frag" and "Copy Fail" exploits

For those who have been concerned about the impact of the two most recent Linux exploits that allow escalation of privilege to root access, here are the current recommendations from InfoQuest Consulting LLC.

Both exploits have been confirmed to target all major Linux distributions released since 2017, so systems released after that time are potentially vulnerable.

FOR "DIRTY FRAG":

At the moment, most major vendors are still working on releasing a patch for affected distros, so systems are still vulnerable. Defenders should assume any local foothold on an unpatched host can become root within seconds.

You can mitigate your risk of exposure by performing these moves IMMEDIATELY!

1. Restrict Shell Access: Revoke SSH or Telnet terminal permissions for all non-administrator accounts.

2. Minimize Attack Surface: Disable unused services, such as the Web Server, and uninstall non-essential third-party applications.
Ensure your server, NAS or network appliance is not directly exposed to the internet. Utilize a firewall or a VPN to restrict access to trusted internal networks only.

3. Implement the following workarounds to block the affected modules from loading into memory. Here are recommendations from Red Hat and Ubuntu. Will post links from other vendors as they become available:

Ubuntu: https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available

Red Hat: https://access.redhat.com/security/vulnerabilities/RHSB-2026-003

Please be advised that the fixes require a reboot of affected systems so it is advised to perform the fixes at the earliest time which will not affect your business.

NOTE: these workarounds may "break" certain services. Please use with caution. If you need assistance with implementing these fixes, please contact InfoQuest Consulting LLC for a consult:

* Contact @ (404) 644-1386 between 9:00AM - 6:00 PM EST (M-F) or 10AM -2PM EST (Sat) to set up a call -back appointment
* go to https://www.infoquestconsultingllc.net/support and click on the "Virtual Appointment" button to setup a virtual appointment through Zoom.

4. If you are running container workloads on your Linux systems, Restrict AF_KEY, AF_RXRPC, and XFRM netlink syscalls in container runtimes via seccomp profiles; the default Docker seccomp profile already blocks AF_RXRPC but not AF_KEY or XFRM netlink configuration.

FOR "COPY FAIL":

1. Check the kernel version that you are running. Patches are now available for affected kernels through your distro's update mirrors.

Only 4.15 kernel versions (and higher) are affected.
4.4 kernel versions are not affected.

Update to a patched kernel version ASAP. For Ubuntu distros, perform the following commands:

sudo apt update && sudo apt upgrade

If this is not possible, the affected component can be targeted:

sudo apt update && sudo apt install --only-upgrade kmod

2. If you are running a distro which is EOL (end of life), and you do not have an extended service plan for security updates, you will need to either migrate to a newer distro or either block the kmod module by creating a /etc/modprobe.d/manual-disable-algif_aead.conf file. This is the same action that the kmod update performs.

If you need assistance with any of these issues, please contact InfoQuest Consulting LLC for a consult:

* Contact @ (404) 644-1386 between 9:00AM - 6:00 PM EST (M-F) or 10AM -2PM EST (Sat) to set up a call -back appointment
* go to https://www.infoquestconsultingllc.net/support and click on the "Virtual Appointment" button to setup a virtual appointment through Zoom.

InfoQuest Consulting is a full-service company dedicated to helping small to medium firms manage their security needs for their existing computer networks and their data protection services. With Customer support you can depend on!

05/11/2026

New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks

A newly disclosed local privilege escalation vulnerability affecting major Linux distributions may already be exploited in the wild.

The exploit, named Dirty Frag and Copy Fail 2, chains two flaws tracked as CVE-2026-43284 and CVE-2026-43500, allowing an unprivileged user to escalate permissions to root.

Researcher Hyunwoo Kim responsibly disclosed the vulnerability, but someone made it public before patches could be released, prompting Kim to make the technical details and PoC code available.

“Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high,” Kim explained.

The vulnerabilities affect the xfrm-ESP (IPsec) and RxRPC components of the Linux kernel, with the greatest impact on hosts that do not run container workloads. In container deployments, an attacker may be able to exploit Dirty Frag to escape a container, but this has yet to be demonstrated, Ubuntu developers noted.

Dirty Frag is similar to Dirty Pipe, a vulnerability that emerged in 2022, and the recently discovered flaw named Copy Fail.

Copy Fail has been exploited in the wild, and Microsoft reports that Dirty Frag may also have been exploited.

According to the tech giant, Dirty Frag can be exploited after attackers gain access to the targeted system, which can be achieved through various means, including compromised SSH accounts, web shell access via internet-exposed applications, abusing service accounts, container escapes to the host environment, or remote access compromise.

Microsoft said its Defender product has seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail.

“After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, and inspects an exploit artifact,” Microsoft explained.

“The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added.

Linux distributions have started releasing patches and mitigations for Dirty Frag, including Red Hat, Amazon Linux, Ubuntu, Fedora, and Alma Linux.

Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released.

05/04/2026

Copy Fail Linux Kernel Vulnerability Now Patched in Debian, Ubuntu, and Others

Supported Linux kernels like 6.12 LTS, 6.6 LTS, 6.1 LTS, 5.15 LTS, and 5.10 LTS are all affected.

ound by Xint Code, the Copy Fail (CVE-2026-31431) security vulnerability, which could allow a local user to elevate privileges to the root user, has been patched in Debian, Ubuntu, AlmaLinux OS, and other popular distributions affected by this flaw.

On April 29th, 2026, a local privilege escalation vulnerability affecting the Linux kernel was publicly disclosed as CVE-2026-31431 and referred to as “Copy Fail.” The vulnerability affects the algif_aead kernel module, which provides hardware-accelerated cryptographic functions.

Who is affected? This vulnerability primarily affects multi-tenant Linux hosts, container clusters, and standard Linux servers. If you are the only user on your system, you are mostly safe because the vulnerability doesn’t grant remote attackers access by itself, but it can be exploited via local code ex*****on.

On Linux hosts that don’t run container workloads, the vulnerability allows a local user to elevate privileges to the root user. In container deployments that may execute potentially malicious workloads, the vulnerability may facilitate container escape scenarios.

What kernels are affected? Supported Linux kernels like 6.12 LTS, 6.6 LTS, 6.1 LTS, 5.15 LTS, and 5.10 LTS are all affected and have been patched against the Copy Fail vulnerability with versions 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254. Also affected are distros running EOL kernels like Linux 6.17 or 6.19 (e.g., Ubuntu 25.10).

Linux kernel security patches have been published by major distribution vendors like Debian, Ubuntu, AlmaLinux, Fedora, SUSE, Red Hat, and many others. However, some newer distributions that run the latest Linux 7.0 kernel, such as Ubuntu 26.04 LTS, do not appear to be affected by this vulnerability.

As usual, make sure you always have the latest updates installed on your GNU/Linux distribution. If you believe your distro is affected by the Copy Fail flaw, do patch your installation as soon as possible by running a standard update, followed by a system reboot.

The Copy Fail Linux kernel security vulnerability that could allow a local user to elevate privileges to the root user has now been patched.

04/30/2026

New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions

Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.

The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8 ) has been codenamed Copy Fail by Xint.io and Theori.

"An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the vulnerability research team at Xint.io and Theori said.

At its core, the vulnerability stems from a logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module. The issue was introduced in a source code commit made in August 2017.

Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.

While the vulnerability is not remotely exploitable in isolation, a local unprivileged user can get root simply by corrupting the page cache of a setuid binary. The same primitive also has cross-container impacts as the page cache is shared across all processes on a system.

In response to the disclosure, Linux distributions have released their own advisories -

Amazon Linux
Debian
Red Hat Enterprise Linux
SUSE
Ubuntu

What makes the vulnerability dangerous is that it can be reliably triggered and does not require any race condition or kernel offset. On top of that, the same exploit works across distributions.

"This vulnerability is unique because it has four properties that almost never appear together: it's portable, tiny, stealthy, and cross-container," a Xint.io spokesperson told The Hacker News in a statement. "It allows any user account, no matter how low-level, to increase their privilege to full admin access. It also allows them to bypass sandboxing and works across all Linux versions and distributions."

https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html

CVE-2026-31431 CVSS 7.8 flaw since 2017 enables root via 732-byte exploit, impacting major Linux distributions.

01/01/2026

New Year, New Support Hours!

Happy New Year from everyone at InfoQuest Consulting LLC!

Effective Jan 1, 2026, our support hours are as follows:

Monday-Friday: 9:00AM-6:00PM EST
Saturday: 10:00AM - 2:00PM EST

Please have your contract number available for phone support. Tickets submitted through the portal will be handled according to severity. Tickets submitted outside these hours will be processed next business day (with exception of Disaster Recovery Service customers)

We have just made updates to our ticketing system to reflect this, and the main web site will be updated shortly with the new hours posted.

HAPPY NEW YEAR!

11/03/2025

How do I Choose the Right Cybersecurity Measures for My Small Business?

Step #1: Assess and plan

Conduct a risk assessment: Determine your specific vulnerabilities and what assets need the most protection, including an inventory of your data and systems.
Create an Incident Response Plan: Prepare a plan for how your business will respond to a security incident before one occurs. Establish a security culture: Make cybersecurity a regular topic of discussion and create policies for acceptable use and data protection.

Step #2: Implement foundational security controls

Use strong passwords and MFA: Enforce strong password policies and enable multi-factor authentication on all critical accounts to prevent unauthorized access.
Keep software and systems updated: Regularly patch and update all software, operating systems, and applications to protect against known vulnerabilities.
Secure your network: Use a firewall to protect your network and implement a Virtual Private Network (VPN) for remote employees.
Install security software: Deploy antivirus and endpoint protection software on all company devices.

Step #3: Improve your password strength.

It’s shocking that, in 2025, the world’s most-used password was still “123456.” If you’re feeling a sudden flush of embarrassment reading that last sentence, now is the time to overhaul your passwords. Too many employees and executives use passwords that are easy to hack, often sharing them across several platforms and websites. If one password is compromised, the potential harm increases exponentially.

“All passwords should have at least 10 characters or more, including at least one uppercase, one lowercase, one number, and one special character,” said Myles Keough, CEO of Spade Technology. Since each online account or service should ideally have a different password, it’s often easier to use a password manager tool to remember them all through your web browser.

Step #4: Secure data and devices

Back up data regularly: Establish a system for regularly backing up critical data and test your ability to restore it.
Limit access to sensitive data: Restrict access to sensitive information to only those employees who need it to perform their jobs.
Protect mobile devices: Create a plan for securing mobile devices, which may hold confidential information, and enable remote wiping if possible

Step #5: Train your employees

Provide regular training: Educate your staff on common threats like phishing and social engineering.
Teach basic cyber hygiene: Train employees on how to recognize and report suspicious activity

Teaching staff how to identify threats is central to a proactive and positive company-wide cyber security policy. Specialist cybersecurity firms can send your staff a bogus email of the type a spammer or hacker might produce. If they click on a link or open an attachment, they’re shown a message along the lines of “this was a test, but next time you might have infected the network with a virus.” Staff will remember this, discuss it and – most importantly – learn from it.

Some businesses might picture an overseas hacker taking extraordinary measures to break into a small business’s network, but that’s not usually the case. In many scenarios, a crude phishing email could compromise your small business. Basic safety measures often prevent attacks from being successful.

Why your small business needs cybersecurity

“Small business owners cannot think their business is too small to be hacked,” said Monique Becenti, product marketing manager at Zimperium. “While the breaches that make headlines tend to be associated with large enterprises, no business is immune to cyberthreats.”

But if you are in doubt, ask an expert:

One of the big reasons small firms avoid putting resources toward cybersecurity is a lack of understanding and concern. Even the term “cybersecurity” can be intimidating, yet there are plenty of experts ready to offer advice in layman’s terms. If the reason your business avoids taking cybersecurity measures is a lack of knowledge, there are experts out there willing to visit your business, either for training or to share options for cybersecurity plans. Ignoring cybersecurity because your team lacks technical knowledge isn’t a legitimate excuse.

10/27/2025

Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation

Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild.

The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code ex*****on flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week.

Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug.

The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network. It's worth noting that the vulnerability does not impact Windows servers that do not have the WSUS Server Role enabled.

In a hypothetical attack scenario, a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a "legacy serialization mechanism," leading to remote code ex*****on.

"To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025," Redmond said in an update.

Once the patch is installed, it's advised to perform a system reboot for the update to take effect. If applying the out-of-band is not an option, users can take any of the following actions to protect against the flaw -

Disable WSUS Server Role in the server (if enabled)
Block inbound traffic to Ports 8530 and 8531 on the host firewall
"Do NOT undo either of these workarounds until after you have installed the update," Microsoft warned.

The development comes as the Dutch National Cyber Security Centre (NCSC) said it learned from a "trusted partner that abuse of CVE-2025-59287 was observed on October 24, 2025."

Eye Security, which notified NCSC-NL of the in-the-wild exploitation, said it first observed the vulnerability being abused at 06:55 a.m. UTC to drop a Base64-encoded payload targeting an unnamed customer. The payload, a .NET executable, "takes the value 'aaaa' request header and runs it directly using cmd.exe."

Cybersecurity firm Huntress also said it detected threat actors targeting WSUS instances publicly exposed on their default ports (8530/TCP and 8531/TCP) starting around 2025-10-23 23:34 UTC. However, it noted that the exploitation of CVE-2025-59287 is likely to be limited, given that WSUS is not often exposing ports 8530 and 8531.

"Attackers leveraged exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services) that triggered a deserialization RCE against the update service," it said.

The exploit activity has resulted in the WSUS worker process spawning "cmd.exe" and PowerShell instances, leading to the download and ex*****on of a Base64-encoded PowerShell payload with the goal of enumerating exposed servers for network and user information and exfiltrating the results to an attacker-controlled webhook[.]site URL.

"We're now seeing indiscriminate, in-the-wild exploitation of the pre-auth RCE vulnerability in Microsoft's WSUS service that was disclosed earlier in October," watchTowr's Benjamin Harris said in a statement. "Exploitation of this flaw is indiscriminate."

"If an unpatched WSUS instance is online, at this stage, it has likely already been compromised. There really is no legitimate reason in 2025 to have WSUS accessible from the Internet – any organization in that situation likely needs guidance to understand how they ended up in this position."

"We've observed exposure in 8,000+ instances, including extremely sensitive, high-value organizations. This isn't limited to low-risk environments – some of the affected entities are exactly the types of targets attackers prioritize."

When reached for comment, a Microsoft spokesperson told the publication that "We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected."

The company also emphasized that the issue does not affect servers that don't have WSUS Server Role enabled and has recommended impacted customers to follow the guidance on its CVE page.

Given the availability of a PoC exploit and detected exploitation activity, it's essential that users apply the patch as soon as possible to mitigate the threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate it by November 14, 2025.

Microsoft releases urgent fix for critical WSUS flaw CVE-2025-59287 under active exploitation.

10/18/2025

Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in 'Zero Disco' Attacks

Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems.

The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group.

The shortcoming was patched by Cisco late last month, but not before it was exploited as a zero-day in real-world attacks.

"The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access," researchers Dove Chiu and Lucien Chuang said.

The cybersecurity company also noted that the rootkits allowed attackers to achieve remote code ex*****on and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. IOSd is run as a software process within the Linux kernel.

Another notable aspect of the attacks is that they singled out victims running older Linux systems that do not have endpoint detection response solutions enabled, making it possible to deploy the rootkits in order to fly under the radar. In addition, the adversary is said to have used spoofed IPs and Mac email addresses in their intrusions.

The rootkit is commandeered by means of a UDP controller component that that can serve as listener for incoming UDP packets on any port, toggle or disable log history, create a universal password by modifying IOSd memory, bypass AAA authentication, conceal certain portions of the running configuration, and hide changes made to the configuration by altering the timestamp to give the impression that it was never modified.

Besides CVE-2025-20352, the threat actors have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 so as to allow memory read/write at arbitrary addresses. However, the exact nature of the functionality remains unclear.

The name "Zero Disco" is a reference to the fact that the implanted rootkit sets a universal password that includes the word "disco" in it -- a one-letter change from "Cisco."

"The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot," the researchers noted. "Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed."

Operation Zero Disco exploits Cisco IOS flaw CVE-2025-20352 to deploy persistent Linux rootkits

10/16/2025

Microsoft pushes AI updates in Windows 11 as it ends support for Windows 10

Microsoft is encouraging people to talk to their laptops as it rolls out new artificial intelligence updates to Windows 11 and pushes users to phase out its predecessor, Windows 10.

Microsoft ended free security support for Windows 10 this week, though millions of people still use personal computers running the older operating system.

To entice people to upgrade, the software giant on Thursday announced new Windows 11 features, most of them further integrating the company’s AI chatbot, Copilot, into the experience of using a laptop.

Among the features is a voice mode that enables users to dictate “Hey, Copilot” to start chatting with their computer instead of typing or clicking a touchpad.

Microsoft first introduced Windows 10 a decade ago and launched its successor, Windows 11, in 2021.

But many people around the world still are using Windows 10, particularly those with older computers that can’t upgrade to Windows 11. Consumer advocates have spent months petitioning Microsoft to extend technical support for an estimated hundreds of millions of devices that will no longer get automatic security fixes.

“With the end of Windows 10, users face the choice between exposing themselves to cyberattacks or discarding their old computers and buying new ones,” said Brenna Stevens of the Oregon State Public Interest Research Group, which advocated on behalf of local repair shops, students and others.

Microsoft has said people can pay extra for a year of extended security support through October 2026. Some users, including those in the European Union as well as U.S. users who can synchronize with Microsoft’s cloud service, will be able to get that extended support for free.

But most people faced with unsupported devices are likely to either keep using them despite the vulnerabilities or throw them away, which “creates both a security problem and an environmental problem,” generating huge amounts of toxic electronic waste, said Nathan Proctor, who leads PIRG’s Right to Repair campaign. Both PIRG and Microsoft urge those who are replacing their computers to avoid sending their older models to the landfill.

Those concerns were not a focus of Microsoft’s Windows 11 announcements Thursday. Instead, Yusuf Mehdi, an executive vice president and chief marketing officer for Microsoft’s consumer division, argued that conversing with a laptop will be “as transformative as the mouse and keyboard” in shaping the PC experience. Microsoft says all Windows 11 users will also now have access to Copilot Vision, an AI feature that can analyze and give feedback on the documents, video games and other activities happening on the screen.

Mehdi acknowledged it could take some adjustment to get used to human-computer conversations in shared workspaces.

“Just like when the mouse came out, people have to figure out when to use it, what’s the right way, how to make it happen,” Mehdi told reporters.

The updates are Microsoft’s latest attempt to make its widely used Windows operating system a gateway to hook people on its suite of generative AI tools. The tech giant competes heavily on AI services with Apple, Google and startups like Anthropic and OpenAI.

Microsoft is encouraging people to talk to their laptops with new AI updates to Windows 11. But millions of computer users are still using Windows 10 as Microsoft ends free security support this week for the older operating system.