Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold
The Register ^ | Oct 6, 2017 | Shaun Nichols

Posted on 10/10/2017 7:39:50 PM PDT by dayglored

Versions in use by millions lag behind latest OS, leaving systems vulnerable to attack

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator's Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

This is all according to researchers on Google's crack Project Zero team. The fear is that miscreants comparing the various public builds of Windows will notice these vulnerabilities are being silently fixed in Windows 10, realize the same holes are present in earlier versions of Windows – which are still used in homes and businesses worldwide – and thus exploit the bugs to infect systems and spy on people. And if hackers haven't realized this, they will now: Google staffers have publicly blogged about it.

Redmond engineers are quietly addressing these Windows security flaws as part of their efforts to improve components within the Windows 10 operating system. For instance, a team may be tasked with improving memory management in the kernel, and as a result, will rewrite chunks of the source code, boosting the software's performance while squashing any pesky exploitable bugs along the way. For the marketing department, this is great news: now they can boast about faster loading times. Malware developers, meanwhile, can celebrate when they discover the programming blunders are still present in Windows 8 and 7.

"Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform," Google Project Zero researcher Mateusz Jurczyk said on Thursday.

"This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows."

As an example of the problem, Jurczyk highlighted the wobbly use of memset() within the kernel. This is a function that is supposed to overwrite bytes in a specific area of memory to a specific value, such as zero, thus scrubbing away whatever was previously stored in that portion of memory.

When the kernel is told by an application, via the NtGdiGetGlyphOutline system call, to fill an area of memory with information, and copy it into the app's memory space, the OS doesn't fully overwrite the area using memset() prior to the copy operation. This means the kernel ends up copying into the application's memory space left over private kernel data, thus leaking information it really shouldn't. This can be useful to snoop on the OS and other programs, or gain enough knowhow of the system's internal operations to pull off more damaging exploits.

This information-disclosure bug was fixed in Windows 10, but remained present in Windows 7 and Windows 8.1 – until it was reported by Project Zero to Microsoft at the end of May this year and fixed in patches for Windows 7 and 8.1 systems in September. Google typically gives vendors, including Microsoft, 90 days to address any reported security shortcomings before going public, forcing developers and manufacturers to play their hand.

This months-long lag in deploying patches to previous flavors of Windows is leaving systems vulnerable to attack. By broadly upgrading the security defenses in Windows 10, Microsoft is making it easier for hackers to see where they could exploit weak spots in older versions.

"Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security," Jurczyk explained.

"This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls."

While it's not realistic to expect a vendor to maintain major updates and produce patches indefinitely for older software versions, as many as half of all Windows users are still running Windows 7 and 8 – meaning millions of people are being put at risk by Windows 10's security improvements, ironically.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020.

"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible," a Microsoft spokesperson told The Register.

"Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

Translation: please, please stop using Windows 7 and 8. ®


TOPICS: Business/Economy; Computers/Internet; Hobbies
KEYWORDS: microsoft; patches; security; windows; windows10; windowspinglist; windowsupdate
Navigation: use the links below to view more comments.
first 1-2021-4041-55 next last
This is troubling, and frankly very disappointing. Yeah, I get that Microsoft wants to kill Win7 and Win8/8.1. And I get that many people think Win10 is better. They're entitled to their view.

Well, too bad, Microsoft. Win7 and Win8 users are still entitled to security fixes for another 2+ years (Win7) and many more with Win8.1.

Microsoft is playing a dangerous game -- more and more people are upgrading from Win7 and Win8 to something other than Windows. It's always better for business to keep an existing customer than to have to scout around and attract more. It's especially difficult to win back a customer who has deserted. You'd think Microsoft would want to keep existing customers happy even if they're not running the latest and greatest release.

1 posted on 10/10/2017 7:39:51 PM PDT by dayglored
[ Post Reply | Private Reply | View Replies]

To: Abby4116; afraidfortherepublic; aft_lizard; AF_Blue; amigatec; AppyPappy; arnoldc1; ATOMIC_PUNK; ...
Windows 10 security fixes not released for Win7/8 ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

2 posted on 10/10/2017 7:40:39 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

Business as usual for Micro$loth


3 posted on 10/10/2017 7:42:57 PM PDT by Fiddlstix (Warning! This Is A Subliminal Tagline! Read it at your own risk!(Presented by TagLines R US))
[ Post Reply | Private Reply | To 2 | View Replies]

To: Fiddlstix

Still working with W7 Enterprise at work, with no plan to replace it.


4 posted on 10/10/2017 7:45:54 PM PDT by ButThreeLeftsDo (MAGA!!!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: dayglored

Microsoft could charge a modest yearly fee to maintain security on older OS systems and yet still sell enough newer OS system computers for profits. Leftist greedy tasbards.


5 posted on 10/10/2017 7:50:35 PM PDT by tflabo
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

Its all our fault, for buying all those different OSes and upgrading...what were we thinking? Why didn’t Microsoft tell us....uh, wait what?


6 posted on 10/10/2017 7:56:54 PM PDT by bigbob (People say believe half of what you see son and none of what you hear - M. Gaye)
[ Post Reply | Private Reply | To 1 | View Replies]

To: tflabo
> Microsoft could charge a modest yearly fee to maintain security on older OS systems and yet still sell enough newer OS system computers for profits. Leftist greedy tasbards.

Oh, they already do that. If you're a large enough customer (think 1000s of installed machines) you can pay Microsoft to give you patches for everything back to and including WinXP.

That was demonstrated within the past year when Microsoft was able to release an emergency patch for WinXP with zero delay -- they already had developed it for their "paying" customers.

7 posted on 10/10/2017 8:08:29 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 5 | View Replies]

To: ButThreeLeftsDo
> Still working with W7 Enterprise at work, with no plan to replace it.

There are tons businesses and individuals who are in "When You Pry It From My Cold Dead Fingers" mode about Win7.

I admit, I'm largely (though not entirely) in that camp too.

8 posted on 10/10/2017 8:11:04 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 4 | View Replies]

To: Fiddlstix

Another reason to hate Microsoft


9 posted on 10/10/2017 8:13:23 PM PDT by ptsal ( Get your facts first, then you can distort them as you please. - M. Twain)
[ Post Reply | Private Reply | To 3 | View Replies]

To: dayglored

Heh. Earlier in the week, was in the Coeur d’Alene department that handles mobile home titles. Noticed the lock screens on their systems was the old Win XP one.


10 posted on 10/10/2017 8:13:39 PM PDT by Noumenon (Can you imagine if Islam were NOT the religion of peace?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

I’m sticking with windows 7 until they decide to make the UI and explorer and everything else function on newer versions of Windows just like Win7.


11 posted on 10/10/2017 8:16:17 PM PDT by wastedyears (Anime is real.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: dayglored

Funny how they’ll still support XP users if they’re big enough or government enough.


12 posted on 10/10/2017 8:19:09 PM PDT by ichabod1 (Smoke does not mean fire when someone threw a smoke grenade.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: tflabo

They’ve already GOT that money, now their only interest is getting you to buy again.


13 posted on 10/10/2017 8:20:54 PM PDT by ichabod1 (Smoke does not mean fire when someone threw a smoke grenade.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ButThreeLeftsDo

Windows 7 Professional user here...works great on a Dell.


14 posted on 10/10/2017 8:21:20 PM PDT by entropy12 (Republicans flirt with liberal media who will never vote for them! So dumb.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Fiddlstix

Microsoft sucks. Admittedly, I’m a Mac person, but I had to buy a MS compatible computer to fill out some paperwork for a job, had a MS computer for my job and also got a tablet/computer thru work. All three had Windows 10.

I’d love to meet the designers of these systems and ask them, What the F*ck Were You Thinking? Windows10 sucks a fat hairy one.


15 posted on 10/10/2017 8:23:16 PM PDT by qaz123
[ Post Reply | Private Reply | To 3 | View Replies]

To: wastedyears
> I’m sticking with windows 7 until they decide to make the UI and explorer and everything else function on newer versions of Windows just like Win7.

If you're not already familiar with it, and you have to deal with Win8/10 systems, check out Classic Shell. Makes the Win8/10 desktop and start menu look and feel a lot like Win7 (or even WinXP if you wish). It has saved my sanity, and quite likely, my job (I'm a SysAdmin).

16 posted on 10/10/2017 8:28:30 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 11 | View Replies]

To: dayglored

My wife now does 99% of her “computering” on her Kindle. If she decides she doesn’t need a PC going forward, I think I will start looking at UNIX/LINUX after I retire my Win 7 Pro PC.


17 posted on 10/10/2017 8:29:32 PM PDT by CatOwner
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

I still mourn the loss of my Win 7.


18 posted on 10/10/2017 8:34:57 PM PDT by Trumpnado2016 (Time to repeal and replace the entire GOP Congressional leadership team.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: tflabo

I wonder what a Model-T would look like now under such a program?


19 posted on 10/10/2017 8:40:58 PM PDT by TexasGator (Z)
[ Post Reply | Private Reply | To 5 | View Replies]

To: dayglored

someone might want to drop Microsoft an email and reference the NFL and how dangerous it is to piss off customers.


20 posted on 10/10/2017 8:44:02 PM PDT by txnativegop (The political left, Mankinds intellectual hemlock)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-55 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson