It seems some days you just can’t win. Microsoft has been diligent about updating Windows 10 with bug fixes and improvements, and now Google’s Project Zero security team has complained this leaves Windows 7 and Windows 8 vulnerable to exploits revealed by the process.
The issue is due to Windows 7 and Windows 10 sharing the same code base, but bug fixes being rolled out to Windows 10 first and fast, and only later to Windows 7 and 8, allowing hackers to compare the code and detect changes, which can reveal the specifics of the bug fixed and the vulnerability in the unfixed, older version of the OS.
“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform,” said Google Project Zero researcher Mateusz Jurczyk. “This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”
Jurczyk claimes to have found several zero-day exploits using this technique, such as an uninitialized kernel memory disclosure, which can be used to bypass kernel ASLR.
“This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls,” he noted.
“We hope that these were some of the very few instances of such ‘low hanging fruit’ being accessible to researchers through diffing,” he concludes. “And we encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software.”
In a statement Microsoft made it clear they would prefer all Windows users simply be on the same version of the OS, saying:
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Source: Google Project Zero, via Winbuzzer.com