Microsoft is putting Windows 7 and 8.1 users in danger by only patching Windows 10, claims Google
According to Google’s Project Zero researcher Mateusz Jurczyk, Microsoft is only focusing on patching vulnerabilities in its current operating system, Windows 10 and has left out Windows 7 and 8 in the cold by not rolling the same critical security updates and patches to them. As a result, hundreds of millions of computers using the older versions are at risk of being compromised by hackers.
Jurczyk while performing some analysis found three different vulnerabilities: CVE-2017-8680, CVE-2017-8684, and CVE-2017-8685, which only affected Windows 7 and 8.1 and not Windows 10. He was able to find these because Microsoft patched it on the newest OS, but not on older versions.
Jurczyk used a technique called ‘binary diffing’ where he found examples of patches that had been applied to Windows 10, but not to Windows 7 or 8.1.
For those unaware, binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it’s fixing. This binary diffing technique is especially useful for Microsoft binaries.
By using binary diffing, hackers can analyse vulnerabilities fixed in Windows 10 and exploit the same security bugs present in earlier versions of Windows and put its users at risk.
“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform. This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows,” Jurczyk explains.
“Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security. This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls.”
Thankfully, all the three different vulnerabilities mentioned above were patched by Microsoft last month after being notified by Project Zero at the end of May this year.
Microsoft also made itself clear in a statement to The Register that it would prefer all Windows users to use the same version of the OS. The company said:
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Currently, Microsoft is supporting the previous versions of OS, Windows 7, 8.1 along with Windows 10. While Windows 7 is supposed to receive monthly security fixes from Microsoft until January 14, 2020, Windows 8.1 is supposed to receive it until January 10, 2023.
You can check the detailed analysis of Juryzyk by clicking here.