Google Says Microsoft Is Exposing Windows 7 Users to Security Risks by Not Patching Bugs It Fixes in Windows 10
Microsoft is not a big fan of Google's Project Zero, but the latter continues to spot security flaws in the Redmond software maker's products and strategies. Mateusz Jurczyk, a Project Zero researcher, has now revealed how Microsoft putting Windows 10 as its first priority is neglecting Windows 7 at the risk of compromising user security.
The Windows operating system currently has three versions under active support: Windows 7, 8 and 10. While Windows 7 continues to dominate the PC world, Microsoft brings fixes to most of the security issues only to Windows 10.
Microsoft may not be backporting all the security fixes to Windows 7, 8
The problem for Windows 7 users becomes two-fold as they don't have the security protections of these patches and hackers, who may have previously been unaware of the issue, get to learn about these zero-day vulnerabilities through post-patch bulletins.
"While Windows 7 still has a nearly 50% share on the desktop market at the time of this writing, Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bugfixes only to the most recent Windows platform.
This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows."
Jurczyk added that the company is essentially exposing its userbase to attacks by visibly revealing "what the attack vectors are, which works directly against user security." Leaving clues for hackers with its Windows 10 patches on how to infect those on Windows 7, hackers can use a technique called binary diffing:
"Binary diffing can be utilized to discover discrepancies between two or more versions of a single product, if they share the same core code and coexist on the market, but are serviced independently by the vendor."
According to the Project Zero researcher, this process doesn't even require any low-level knowledge of the operating system internals, which means even the non-advanced attackers can work out the vulnerabilities patched for Windows 10 and exploit them on Windows 7.
"We hope that these were some of the very few instances of such 'low hanging fruit' being accessible to researchers through diffing," Jurczyk said. "We encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software."
- Technical details are available in this blog post.