Microsoft silently fixes security holes in Windows 10 -- dumps Win 7, 8 out in the cold

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8
out in the cold

Versions in use by millions lag behind latest OS, leaving systems
vulnerable to attack

By Shaun Nichols in San Francisco 6 Oct 2017 at 19:34

https://t.co/z6zw1aNhCq

Your new compassionate and caring Microsoft, right there

Microsoft is silently patching security bugs in Windows 10, and not
immediately rolling out the same updates to Windows 7 and 8,
potentially leaving hundreds of millions of computers at risk of
attack.

Flaws and other programming blunders that are exploitable by hackers
and malware are being quietly cleaned up and fixed in the big Windows
10 releases – such as the Anniversary Update and the Creator's Update.
But this vital repair work is only slowly, if at all, filtering back
down to Windows 7 and Windows 8 in the form of monthly software
updates.

This is all according to researchers on Google's crack Project Zero
team. The fear is that miscreants comparing the various public builds
of Windows will notice these vulnerabilities are being silently fixed
in Windows 10, realize the same holes are present in earlier versions
of Windows – which are still used in homes and businesses worldwide –
and thus exploit the bugs to infect systems and spy on people. And if
hackers haven't realized this, they will now: Google staffers have
publicly blogged about it.

Redmond engineers are quietly addressing these Windows security flaws
as part of their efforts to improve components within the Windows 10
operating system. For instance, a team may be tasked with improving
memory management in the kernel, and as a result, will rewrite chunks
of the source code, boosting the software's performance while
squashing any pesky exploitable bugs along the way. For the marketing
department, this is great news: now they can boast about faster
loading times. Malware developers, meanwhile, can celebrate when they
discover the programming blunders are still present in Windows 8 and
7.

"Microsoft is known for introducing a number of structural security
improvements and sometimes even ordinary bug fixes only to the most
recent Windows platform," Google Project Zero researcher Mateusz
Jurczyk said on Thursday.
Azure fell over for 7 hours in Europe because someone accidentally set
off the fire extinguishers
READ MORE

"This creates a false sense of security for users of the older
systems, and leaves them vulnerable to software flaws which can be
detected merely by spotting subtle changes in the corresponding code
in different versions of Windows."

As an example of the problem, Jurczyk highlighted the wobbly use of
memset() within the kernel. This is a function that is supposed to
overwrite bytes in a specific area of memory to a specific value, such
as zero, thus scrubbing away whatever was previously stored in that
portion of memory.

When the kernel is told by an application, via the
NtGdiGetGlyphOutline system call, to fill an area of memory with
information, and copy it into the app's memory space, the OS doesn't
fully overwrite the area using memset() prior to the copy operation.
This means the kernel ends up copying into the application's memory
space left over private kernel data, thus leaking information it
really shouldn't. This can be useful to snoop on the OS and other
programs, or gain enough knowhow of the system's internal operations
to pull off more damaging exploits.

This information-disclosure bug was fixed in Windows 10, but remained
present in Windows 7 and Windows 8.1 – until it was reported by
Project Zero to Microsoft at the end of May this year and fixed in
patches for Windows 7 and 8.1 systems in September. Google typically
gives vendors, including Microsoft, 90 days to address any reported
security shortcomings before going public, forcing developers and
manufacturers to play their hand.

This months-long lag in deploying patches to previous flavors of
Windows is leaving systems vulnerable to attack. By broadly upgrading
the security defenses in Windows 10, Microsoft is making it easier for
hackers to see where they could exploit weak spots in older versions.

"Not only does it leave some customers exposed to attacks, but it also
visibly reveals what the attack vectors are, which works directly
against user security," Jurczyk explained.

"This is especially true for bug classes with obvious fixes, such as
kernel memory disclosure and the added memset calls."

While it's not realistic to expect a vendor to maintain major updates
and produce patches indefinitely for older software versions, as many
as half of all Windows users are still running Windows 7 and 8 –
meaning millions of people are being put at risk by Windows 10's
security improvements, ironically.

Windows 8.1 is supposed to receive monthly security fixes until
January 10, 2023, and for Windows 7, January 14, 2020.

"Windows has a customer commitment to investigate reported security
issues, and proactively update impacted devices as soon as possible,"
a Microsoft spokesperson told The Register.

"Additionally, we continually invest in defense-in-depth security, and
recommend customers use Windows 10 and the Microsoft Edge browser for
the best protection."

Translation: please, please stop using Windows 7 and 8

https://t.co/z6zw1aNhCq

On 08/10/2017 19:29, FredW wrote:
On Sun, 08 Oct 2017 19:13:37 +0200, Steve Hayes
wrote:

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8
out in the cold

Versions in use by millions lag behind latest OS, leaving systems
vulnerable to attack

By Shaun Nichols in San Francisco 6 Oct 2017 at 19:34

https://t.co/z6zw1aNhCq


And this weird link may be from ... ?


www.theregister.co.uk

Fokke

On 08/10/2017 19:42, Fokke Nauta wrote:
On 08/10/2017 19:29, FredW wrote:
On Sun, 08 Oct 2017 19:13:37 +0200, Steve Hayes
wrote:

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8
out in the cold

Versions in use by millions lag behind latest OS, leaving systems
vulnerable to attack

By Shaun Nichols in San Francisco 6 Oct 2017 at 19:34

https://t.co/z6zw1aNhCq


And this weird link may be from ... ?


www.theregister.co.uk

Fokke

To be more precisely:
https://www.theregister.co.uk/2017/1...lder_versions/

Fokke

Steve Hayes wrote:

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8
out in the cold

Versions in use by millions lag behind latest OS, leaving systems
vulnerable to attack

By Shaun Nichols in San Francisco 6 Oct 2017 at 19:34

https://t.co/z6zw1aNhCq

When providing redirection links, show the long URL and your shortened
URL. Don't expect anyone to blindly visit some hidden target.

Your unfurled redirection URL points to:

https://www.theregister.co.uk/2017/1...lder_versions/

Your new compassionate and caring Microsoft, right there

Microsoft is silently patching security bugs in Windows 10, and not
immediately rolling out the same updates to Windows 7 and 8,
potentially leaving hundreds of millions of computers at risk of
attack.

Flaws and other programming blunders that are exploitable by hackers
and malware are being quietly cleaned up and fixed in the big Windows
10 releases – such as the Anniversary Update and the Creator's Update.
But this vital repair work is only slowly, if at all, filtering back
down to Windows 7 and Windows 8 in the form of monthly software
updates.

This is all according to researchers on Google's crack Project Zero
team. The fear is that miscreants comparing the various public builds
of Windows will notice these vulnerabilities are being silently fixed
in Windows 10, realize the same holes are present in earlier versions
of Windows – which are still used in homes and businesses worldwide –
and thus exploit the bugs to infect systems and spy on people. And if
hackers haven't realized this, they will now: Google staffers have
publicly blogged about it.

Redmond engineers are quietly addressing these Windows security flaws
as part of their efforts to improve components within the Windows 10
operating system. For instance, a team may be tasked with improving
memory management in the kernel, and as a result, will rewrite chunks
of the source code, boosting the software's performance while
squashing any pesky exploitable bugs along the way. For the marketing
department, this is great news: now they can boast about faster
loading times. Malware developers, meanwhile, can celebrate when they
discover the programming blunders are still present in Windows 8 and
7.

"Microsoft is known for introducing a number of structural security
improvements and sometimes even ordinary bug fixes only to the most
recent Windows platform," Google Project Zero researcher Mateusz
Jurczyk said on Thursday.
Azure fell over for 7 hours in Europe because someone accidentally set
off the fire extinguishers
READ MORE

"This creates a false sense of security for users of the older
systems, and leaves them vulnerable to software flaws which can be
detected merely by spotting subtle changes in the corresponding code
in different versions of Windows."

As an example of the problem, Jurczyk highlighted the wobbly use of
memset() within the kernel. This is a function that is supposed to
overwrite bytes in a specific area of memory to a specific value, such
as zero, thus scrubbing away whatever was previously stored in that
portion of memory.

When the kernel is told by an application, via the
NtGdiGetGlyphOutline system call, to fill an area of memory with
information, and copy it into the app's memory space, the OS doesn't
fully overwrite the area using memset() prior to the copy operation.
This means the kernel ends up copying into the application's memory
space left over private kernel data, thus leaking information it
really shouldn't. This can be useful to snoop on the OS and other
programs, or gain enough knowhow of the system's internal operations
to pull off more damaging exploits.

This information-disclosure bug was fixed in Windows 10, but remained
present in Windows 7 and Windows 8.1 – until it was reported by
Project Zero to Microsoft at the end of May this year and fixed in
patches for Windows 7 and 8.1 systems in September. Google typically
gives vendors, including Microsoft, 90 days to address any reported
security shortcomings before going public, forcing developers and
manufacturers to play their hand.

This months-long lag in deploying patches to previous flavors of
Windows is leaving systems vulnerable to attack. By broadly upgrading
the security defenses in Windows 10, Microsoft is making it easier for
hackers to see where they could exploit weak spots in older versions.

"Not only does it leave some customers exposed to attacks, but it also
visibly reveals what the attack vectors are, which works directly
against user security," Jurczyk explained.

"This is especially true for bug classes with obvious fixes, such as
kernel memory disclosure and the added memset calls."

While it's not realistic to expect a vendor to maintain major updates
and produce patches indefinitely for older software versions, as many
as half of all Windows users are still running Windows 7 and 8 –
meaning millions of people are being put at risk by Windows 10's
security improvements, ironically.

Windows 8.1 is supposed to receive monthly security fixes until
January 10, 2023, and for Windows 7, January 14, 2020.

"Windows has a customer commitment to investigate reported security
issues, and proactively update impacted devices as soon as possible,"
a Microsoft spokesperson told The Register.

"Additionally, we continually invest in defense-in-depth security, and
recommend customers use Windows 10 and the Microsoft Edge browser for
the best protection."

Translation: please, please stop using Windows 7 and 8

https://t.co/z6zw1aNhCq

So far, just a bunch of FUD. The author makes no mention that the
repairs to Windows 10 have counterparts in older versions of Windows.
Can't repair what ain't broke. New code in Windows 10 means new
vulnerabilities unique to THAT operating system.

You were told long ago by Microsoft that they would only do monthly
security updates for their old and UNSUPPORTED operating systems.
Eventually you won't get ANY updates, security or otherwise. Windows 7
extended support ends on Jan 14, 2020, a little over 2 years from now.
You MUST have Service Pack 1 since Win7 sans SP1 extended support is
already long dead. Windows 8 extended support ends on Jan 10, 2023 so
you get longer for security updates but who wants to go to Windows 8?

Windows 7/8 users are not getting put at greater security risk as the
author wants to flame. They are at the same security risk as before.

Since updates are forced in Windows 10 whenever Microsoft wants to push
them, saying Microsoft is silently or covertly pushing out updates is
just more FUD. In fact, no backward code vulnerabilities have yet been
revealed so this is just some author guessing what could happen.

On 08/10/2017 18:13, Steve Hayes wrote:
Microsoft Critical Articles

You have posted a link that criticises Microsoft in every article they
write. They are using Linux and so this should tell you everything you
need to know about their articles.

However, a South African like you with AIDS and rampant crime rate in
Johannesburg, I don't hold my breadth to have any common sense to
understand how advertising works in modern tech industries.

https://i.imgur.com/WcvyvQR.png https://i.imgur.com/WcvyvQR.png

What I don't understand is why do people continue using Microsoft or
Adobe products when they are avid users of LinJunk. Why are you here on
Windows newsgroup anyway?


--
With over 500 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

On Sun, 8 Oct 2017 16:48:57 -0500, VanguardLH wrote:
Steve Hayes wrote:

[quoted text muted]

By Shaun Nichols in San Francisco 6 Oct 2017 at 19:34

https://t.co/z6zw1aNhCq

When providing redirection links, show the long URL and your shortened
URL. Don't expect anyone to blindly visit some hidden target.


Well said.


--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...