Microsoft is risking its older operating system users by simply patching Windows 10:

April 4, 2022 0 Comments

Patching the latest Windows 10 vulnerabilities and not extending support for Windows 7 and Windows 8 gives hackers and attackers an entry point for vulnerabilities in older operating systems.

Google’s Project Zero researcher Mateus Zurzic said in a blog post that Microsoft is risking the safety of its Windows 7 users by actively patching Windows 10 but not issuing similar patches for its older siblings.

A simple technique called patch defending, which compares two binary builds by sharing the same core code, with one vulnerability and the other with a security fix, is used to detect vulnerabilities and potential attack paths in a software. Jurczyk says that patch-defying can be used in software that shares the same code and coexists in the market, but is independently serviced by vendors such as Windows 7, 8 and 10.

The blog post demonstrates the use of patch defying to find three vulnerabilities in Windows 7 and 8.1, CVE-2017-8680, CVE-2017-8684 and CVE-2017-8685. Project Zero notified Microsoft of the bugs, and the bugs were patched in the May and September updates. “This creates a false sense of security for users of older systems, and weakens them to software flaws that can only be detected by identifying subtle changes to the corresponding code in different versions of Windows,” Zurzyk wrote.

Research further indicates that vulnerabilities are not very difficult to exploit and can be easily exploited by non-advanced hackers. Jurczyk said software vendors should ensure that there are fewer instances of exploitation by consistently applying security improvements to all supported versions of their software.

A good reminder to issue critical patches on older systems has come in the form of ransomwares. Since Microsoft stopped supporting Windows XP and Server 2003, the company has not released any new patches for the latest vulnerabilities, hijacked Wanakri and Petia ransomware user systems and demanded a ransom for releasing vital data.

Leave a Reply

Your email address will not be published.