Posted on 10/10/2017 7:39:50 PM PDT by dayglored
Versions in use by millions lag behind latest OS, leaving systems vulnerable to attack
Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.
Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator's Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.
This is all according to researchers on Google's crack Project Zero team. The fear is that miscreants comparing the various public builds of Windows will notice these vulnerabilities are being silently fixed in Windows 10, realize the same holes are present in earlier versions of Windows – which are still used in homes and businesses worldwide – and thus exploit the bugs to infect systems and spy on people. And if hackers haven't realized this, they will now: Google staffers have publicly blogged about it.
Redmond engineers are quietly addressing these Windows security flaws as part of their efforts to improve components within the Windows 10 operating system. For instance, a team may be tasked with improving memory management in the kernel, and as a result, will rewrite chunks of the source code, boosting the software's performance while squashing any pesky exploitable bugs along the way. For the marketing department, this is great news: now they can boast about faster loading times. Malware developers, meanwhile, can celebrate when they discover the programming blunders are still present in Windows 8 and 7.
"Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform," Google Project Zero researcher Mateusz Jurczyk said on Thursday.
"This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows."
As an example of the problem, Jurczyk highlighted the wobbly use of memset() within the kernel. This is a function that is supposed to overwrite bytes in a specific area of memory to a specific value, such as zero, thus scrubbing away whatever was previously stored in that portion of memory.
When the kernel is told by an application, via the NtGdiGetGlyphOutline system call, to fill an area of memory with information, and copy it into the app's memory space, the OS doesn't fully overwrite the area using memset() prior to the copy operation. This means the kernel ends up copying into the application's memory space left over private kernel data, thus leaking information it really shouldn't. This can be useful to snoop on the OS and other programs, or gain enough knowhow of the system's internal operations to pull off more damaging exploits.
This information-disclosure bug was fixed in Windows 10, but remained present in Windows 7 and Windows 8.1 – until it was reported by Project Zero to Microsoft at the end of May this year and fixed in patches for Windows 7 and 8.1 systems in September. Google typically gives vendors, including Microsoft, 90 days to address any reported security shortcomings before going public, forcing developers and manufacturers to play their hand.
This months-long lag in deploying patches to previous flavors of Windows is leaving systems vulnerable to attack. By broadly upgrading the security defenses in Windows 10, Microsoft is making it easier for hackers to see where they could exploit weak spots in older versions.
"Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security," Jurczyk explained.
"This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls."
While it's not realistic to expect a vendor to maintain major updates and produce patches indefinitely for older software versions, as many as half of all Windows users are still running Windows 7 and 8 – meaning millions of people are being put at risk by Windows 10's security improvements, ironically.
Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020.
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible," a Microsoft spokesperson told The Register.
"Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Translation: please, please stop using Windows 7 and 8. ®
[[This is something I plan to research a lot as I really don’t want to “upgrade” beyond Win 7 Pro. ]]
I don’t blame you- When i learned what windows 10 was all about- I said “Nope- not gonna happen’ and decided to dual boot with linux as my main online OS and windows 7 as my offline os for windows only programs such as photoshop and games- I’ve been very happy with my decision- windows 10 will have to do a lot of revamping before I’ll consider going back to windows only- p-lus i enjoy the fact that linux is much much less vulnerable to viruses- though not totally immune- and it’s quick and very stable- windows seems to really work my computer- linux runs almost silently- and cooler as well-
Watch some youtube vids of linux mint- it really is a nice os-
Microsoft 7 was a good program. After some possible hacking problems, Microsoft put in W8 and totally screwed it up, leaving out links, possible security software, etc.
Damned. I miss WordPerfect 5 and 7. Never had any problems with them.
Start Menu X is also a good front end.
it does- but finding out what to copy and paste takes some learning- it’s not easy for folks like me unfamiliar with command line stuff- not even sure what key words to look for when running into areas that need command lines- and a lot of those linux sites talk way above my understanding- I eventually get it but it takes a long time sometimes for me to get the right info and understand it enough to do more complex stuff-
My husband got a Win10 laptop for our business when they first came out to ease him into using the new operating system. He still has trouble every time he takes the thing out. All this time and he has not adjusted yet. If it’s not the software, the hardware is incompatible where he goes to speak.
He is not the most tech savvy person in the world and as soon as something goes wrong he panics.. His desktop is Win7 and he has trouble enough with that one. Why can’t they make it easier on non-technical people?
Win10 has been just fine for me so far. It only took me a couple days to get with the program. I got it with a new machine. I would never update an old one with that system.
“photo ‘dark room’ stuff-”
Sounds dodgy...
Win 7 and Win 10 VMs are questionable in the performance dept.
It’s always been easy to write s/w that can overcome the h/w. The two need to be somewhat matched wrt calendar eras. Older o/s with contemporary apps seem to work fine in VMs on much newer hardware.
I talked with two techies when I was installing some anti-virus software and on both occasions they said they personally used windows 7
How about 3.0?
;^D
[[“photo ‘dark room’ stuff-”
Sounds dodgy...]]
Lol- no- i mean it’s a digital darkroom for post processing photos
I find Mint to be a bit bloated. Won’t run as fast on our thinkpads as ubuntu variants. Mint is based on debian AND ubuntu which might be why it ran slower for me. It looks nice though.
There’s a bunch of flavors of ubuntu, Lubuntu, xubuntu, kubuntu, edubuntu.
https://en.wikipedia.org/wiki/List_of_Linux_distributions#Ubuntu-based
My favorite has become ubtuntu studio. Even though I don’t use all the bundled software(you can choose which ones you want and create a build so to speak), it runs in low-latency mode and it’s a rare thing to make it freeze. I’ve used video editing software on this business laptop and never could before until ubuntu studio.
And you can make ubuntu(and probably mint) look like windows(or mac) using a theme.
https://duckduckgo.com/how+to+make+ubuntu+look+like+windows&ia=web
About the only time you have to use the terminal - command line, is when you want to add a software repository to get a program not listed in the regular ubuntu repositories or once in a while, compile a program from source code but the regular ubuntu repositories have pretty much any program a regular user would need. I just like trying out alternatives. That and you can do some neat things from the terminal. For example, there’s an image editing program called imagemagick that will do amazing things but is command line only. It was built to work on web servers. It’s strange working with images without actually seeing them but it works and is fast. A GUI(graphic user interface) is what takes up a lot of processing power. A program can work much more efficiently without having to draw the GUI on the screen for us to see.
For one or two images, I just use gimp(like photoshop) but for bulk processes, I use imagemagick. It can edit 100 images in a folder in seconds.
I do have a few programs I use that are available for windows only so I have the dual boot setup. I don’t surf on windows so I have updates turned off because I’m not worried about security since windows isn’t connected to any network, local or internet. I have wifi and hard wire networking turned off in windows as well so it can’t connect. Win 7 Pro service pack 2 is what I run for windows. Best there ever was imho.
I haven’t paid a dime for software in years. No virus or malware/adware in that same time. Most of the time, those things came from some free program. You get what you pay for and pay for what you get with microsoft.
Does Apple fix their old versions? Apple is notorious for deprecating software and hardware just a few years old.
Sure, Apple fixes their old versions... per a published schedule.
Apple, like Microsoft and most others, publishes a support timeline that says when support (features, updates, security fixes, etc.) will stop for each release. Publishing such deadlines is pretty much standard practice.
The objection here is NOT that Microsoft will stop support for Win7 in Jan 2020 and for Win8.1 in Jan 2023. They've been saying that officially for years, we accept those deadlines.
The objection is that Microsoft has quietly been NOT providing that support, for Win7 and Win8.1, more than two years before those deadlines are supposed to come into effect.
I am not aware of Apple ever doing such a thing. Whether Microsoft has done so in the past is anyone's guess.
For what it's worth, Microsoft has what I consider an exemplary overall record for providing support for old releases. They've bitched and moaned about it, but they generally have provided support for many years more than Apple or other companies typically do.
Frankly the reason is that a huge percentage of Windows users are reluctant to upgrade to newer versions, meaning support is necessary for security reasons, long past when Microsoft wants to stop it.
Apple is known for dropping support and surprising customers. Granted, I don’t ever recall anyone including Apple claiming they support something they aren’t, but Apple has no better customer reputation than Microsoft.
They have occasionally announced some pretty short cutoff schedules, that is true.
> Granted, I don’t ever recall anyone including Apple claiming they support something they aren’t,...
That's precisely the issue here. Dropping support on the sly can only mean that Microsoft simply doesn't give a crap about supporting Win7 and Win8.1 according to their published schedule.
If Microsoft had announced, "Hey we changed our minds, you Win7 and Win8.1 users are going to lose support for some critical security fixes now, not when we said", that would at least be honest.
They didn't. Hence the problem.
Bfl
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.