Redmond is patching Windows 8 but NOT Windows 7, say security bods
New tool checks differences, could lead to 0-day bonanza
Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems.
Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities.
The missing safe functions were part of Microsoft’s dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks.
Researcher Moti Joseph (@gamepe) – formerly of Websense – speculated Microsoft had not applied fixes to Win 7 to save money.
“Why is it that Microsoft inserted a safe function into Windows 8 [but not] Windows 7? The answer is money – Microsoft does not want to waste development time on older operating systems … and they want people to move to higher operating systems,” Joseph said in a presentation at the Troopers14 conference.
Microsoft has been contacted for comment.
Together with malware analyst Marion Marschalek (@pinkflawd), the duo developed a capable diffing (comparison) tool dubbed DiffRay which would compare Windows 8 with 7, and log any safe functions absent in the older platform.
It was “scary simple”, Marschalek said, and faster than finding vulnerabilities by hand.
DiffRay GUI and flow chart
Security bods could then probe and pluck those functions to identify vulnerabilities and exploits.In a demonstration of DiffRay, the researchers found four missing safe functions in Windows 7 that were present in 8.
“If we get one zero-day from this project, it’s worth it,” Joseph said…
does that mean we are as vulnerable as windows XP ? could we sue Microsoft say like a class action of we lose data ?
Should we be worried?
What in heaven name has she said—I even HAD MY HEARING AIDS ON—-
How about an explanation–MAYBE I’M JUST VERY DENSE.
If Microsoft is trying to be their own undoing this is certainly the way to do it. One of the reasons they lost so much of the market to Mac years ago was because it was far less secure. But now in this day and age if ppl think they deliberately and knowingly leave their systems insecure it begs the question of their integrity. Trust is a huge thing now a days. What say ye Bill Gates?
Interesting, and disturbing news! Apparently Microsoft wants to strong arm everyone in to Windows 8.1. However, I do know for a fact that Microsoft did an update for Windows 7 the second Tuesday in May. It is vivid in my memory because it totally toasted my Windows 7 notebook computer. Everything was working fine on my notebook computer – and after the May Windows Updates several programs would no longer run and I get the message about Windows Explorer not closing. Now, I’m wondering are you referring to separate “patches” or the regular, monthly Windows Updates – or are they synonymous?
If it is true that Microsoft is patching Windows 8 and not providing patches for Windows 7, which is my current computer, my next computer WILL be a Mac! I have been teetering whether to continue to Microsoft by buying another one of their computers or a Mac, which my husband recently purchased and loves. I don’t think much of a company [Microsoft?] that doesn’t take care of the products it makes and sells and is still on the market. I don’t think much of coercion either when it comes to possibly force people to buy one product by virtue of NOT fixing a product they have in the market. That is poor business and it will certainly drive me a way from many of their products!
Me Too.
It patched my Windows 7….
If you re-read the article, it does not say what Windows 7 is not getting updates, it is saying that critical updates being released for Windows 8 are not being released for Windows 7. Just because Windows 8x does not look like Windows 7 on the surface, the core of Windows 8x is Windows 7 which means a lot of the security features of Windows 8x are the same as Windows. This article does not say Windows 7 users are not getting updates, it says that Windows 8.x users are getting security patches while Windows 7 users are not getting them. Just wanted to make that clear. Just because you’re still getting updates (and you will continue to get updates for several years) you are not getting some of the critical updates that apply to both Windows 8.x and Windows 7.
I also wonder about the updates messing with fire fox just maybe they are adding things they should not and causing problems with other browsers. don’t know but it could be that way .