Microsoft is putting Windows 7 users at risk by giving Windows 10 priority patches that its older sibling may not receive - and, if it does, they may not be rolled out until a much later date. That is the assertion of researcher Mateusz Jurczyk from Google's Project Zero, which has already found a number of troubling vulnerabilities in Microsoft's operating systems.
This is because, as Jurczyk argues, by patching Windows 10 and not Windows 7, despite the fact that they both share a lot of similar code, Microsoft is leaving breadcrumbs for attackers to follow on how to attack the OS.
In a technique known as 'binary diffing', hackers may analyse the new code contained in a patch for Windows 10 and reverse-engineer from it the vulnerability Microsoft is trying to fix. They may then use this knowledge to attack older versions of the operating system that either won't receive the patch or, at least, won't get it as soon as the more recent product.
According to the most recent statistics, Windows 7 users still account for the largest proportion of Windows PC in the world, standing at 43.99% of the market share. Given Windows 7, 8, and 10's largely similar core code, this leaves those millions of users not currently on Windows 10 in grave danger of being attacked, with Microsoft pointing the hackers in the right direction.
With regard to Microsoft's policy of giving priority to Windows 10 in patching security flaws, Jurczyk said the following:
"This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows."
"Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security."
Jurczyk referred to three different vulnerabilities - CVE-2017-8680, CVE-2017-8684, and CVE-2017-8685 - which only affected Windows 7 and 8.1 but not Windows 10 as examples of this scenario. Fortunately, Microsoft patched them last month after being notified by Project Zero.
He cautioned that finding such vulnerabilities using diffing would be an altogether simple process and would not require an advanced understanding of Windows, leaving such vulnerabilities all the more damning and making it particularly important for software vendors to push patches consistently throughout their range of products.
Source: Project Zero via ZDNet
133 Comments - Add comment