Posted on 10/10/2017 7:39:50 PM PDT by dayglored
Versions in use by millions lag behind latest OS, leaving systems vulnerable to attack
Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.
Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases such as the Anniversary Update and the Creator's Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.
This is all according to researchers on Google's crack Project Zero team. The fear is that miscreants comparing the various public builds of Windows will notice these vulnerabilities are being silently fixed in Windows 10, realize the same holes are present in earlier versions of Windows which are still used in homes and businesses worldwide and thus exploit the bugs to infect systems and spy on people. And if hackers haven't realized this, they will now: Google staffers have publicly blogged about it.
Redmond engineers are quietly addressing these Windows security flaws as part of their efforts to improve components within the Windows 10 operating system. For instance, a team may be tasked with improving memory management in the kernel, and as a result, will rewrite chunks of the source code, boosting the software's performance while squashing any pesky exploitable bugs along the way. For the marketing department, this is great news: now they can boast about faster loading times. Malware developers, meanwhile, can celebrate when they discover the programming blunders are still present in Windows 8 and 7.
"Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform," Google Project Zero researcher Mateusz Jurczyk said on Thursday.
"This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows."
As an example of the problem, Jurczyk highlighted the wobbly use of memset() within the kernel. This is a function that is supposed to overwrite bytes in a specific area of memory to a specific value, such as zero, thus scrubbing away whatever was previously stored in that portion of memory.
When the kernel is told by an application, via the NtGdiGetGlyphOutline system call, to fill an area of memory with information, and copy it into the app's memory space, the OS doesn't fully overwrite the area using memset() prior to the copy operation. This means the kernel ends up copying into the application's memory space left over private kernel data, thus leaking information it really shouldn't. This can be useful to snoop on the OS and other programs, or gain enough knowhow of the system's internal operations to pull off more damaging exploits.
This information-disclosure bug was fixed in Windows 10, but remained present in Windows 7 and Windows 8.1 until it was reported by Project Zero to Microsoft at the end of May this year and fixed in patches for Windows 7 and 8.1 systems in September. Google typically gives vendors, including Microsoft, 90 days to address any reported security shortcomings before going public, forcing developers and manufacturers to play their hand.
This months-long lag in deploying patches to previous flavors of Windows is leaving systems vulnerable to attack. By broadly upgrading the security defenses in Windows 10, Microsoft is making it easier for hackers to see where they could exploit weak spots in older versions.
"Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security," Jurczyk explained.
"This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls."
While it's not realistic to expect a vendor to maintain major updates and produce patches indefinitely for older software versions, as many as half of all Windows users are still running Windows 7 and 8 meaning millions of people are being put at risk by Windows 10's security improvements, ironically.
Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020.
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible," a Microsoft spokesperson told The Register.
"Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Translation: please, please stop using Windows 7 and 8. ®
Well, too bad, Microsoft. Win7 and Win8 users are still entitled to security fixes for another 2+ years (Win7) and many more with Win8.1.
Microsoft is playing a dangerous game -- more and more people are upgrading from Win7 and Win8 to something other than Windows. It's always better for business to keep an existing customer than to have to scout around and attract more. It's especially difficult to win back a customer who has deserted. You'd think Microsoft would want to keep existing customers happy even if they're not running the latest and greatest release.
![]() |
![]() |
---|
Business as usual for Micro$loth
Still working with W7 Enterprise at work, with no plan to replace it.
Microsoft could charge a modest yearly fee to maintain security on older OS systems and yet still sell enough newer OS system computers for profits. Leftist greedy tasbards.
Its all our fault, for buying all those different OSes and upgrading...what were we thinking? Why didn’t Microsoft tell us....uh, wait what?
Oh, they already do that. If you're a large enough customer (think 1000s of installed machines) you can pay Microsoft to give you patches for everything back to and including WinXP.
That was demonstrated within the past year when Microsoft was able to release an emergency patch for WinXP with zero delay -- they already had developed it for their "paying" customers.
There are tons businesses and individuals who are in "When You Pry It From My Cold Dead Fingers" mode about Win7.
I admit, I'm largely (though not entirely) in that camp too.
Another reason to hate Microsoft
Heh. Earlier in the week, was in the Coeur d’Alene department that handles mobile home titles. Noticed the lock screens on their systems was the old Win XP one.
I’m sticking with windows 7 until they decide to make the UI and explorer and everything else function on newer versions of Windows just like Win7.
Funny how they’ll still support XP users if they’re big enough or government enough.
They’ve already GOT that money, now their only interest is getting you to buy again.
Windows 7 Professional user here...works great on a Dell.
Microsoft sucks. Admittedly, I’m a Mac person, but I had to buy a MS compatible computer to fill out some paperwork for a job, had a MS computer for my job and also got a tablet/computer thru work. All three had Windows 10.
I’d love to meet the designers of these systems and ask them, What the F*ck Were You Thinking? Windows10 sucks a fat hairy one.
If you're not already familiar with it, and you have to deal with Win8/10 systems, check out Classic Shell. Makes the Win8/10 desktop and start menu look and feel a lot like Win7 (or even WinXP if you wish). It has saved my sanity, and quite likely, my job (I'm a SysAdmin).
My wife now does 99% of her “computering” on her Kindle. If she decides she doesn’t need a PC going forward, I think I will start looking at UNIX/LINUX after I retire my Win 7 Pro PC.
I still mourn the loss of my Win 7.
I wonder what a Model-T would look like now under such a program?
someone might want to drop Microsoft an email and reference the NFL and how dangerous it is to piss off customers.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.