Google: By only patching Windows 10, Microsoft is putting Windows 7 and 8.x users in danger
We all know that Microsoft’s focus is on Windows 10. The software giant wants users to upgrade to its new operating system, and has regularly spoken about how that OS keeps users safe.
However, according to Google Project Zero researcher Mateusz Jurczyk, by focusing on patching Windows 10, and not applying the same fixes to Windows 7 and 8.x, Microsoft is actually putting users of those two older operating systems at risk.
Jurczyk noticed when filing an issue in the Project Zero bug tracker (Windows Kernel pool memory disclosure in win32k!NtGdiGetGlyphOutline) and performing some analysis, that the bug was only present in Windows 7 and 8.x, not in Windows 10. That, he found, is because Microsoft patched it on the newest OS, but not on older versions.
That discovery led him to do further digging, using a technique called "binary diffing", and he found more examples of fixes that had been applied to Windows 10, but not to Windows 7 or 8.x. He goes into full details in a lengthy post here.
By using binary diffing, in the same way Jurczyk did, hackers can analyze fixes in a modern OS and use them to uncover weaknesses in older, unpatched versions.
"Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bugfixes only to the most recent Windows platform. This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows," Jurczyk explains.
"Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security. This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls."
Image credit: TeodorLazarev / Shutterstock