Google: Microsoft's focus on Windows 10 puts Windows 7 and 8 users at risk
Microsoft's focus on Windows 10 in regards to security puts users who run devices with older but still supported versions of Windows at risk according to Google Project Zero researcher Mateusz Jurczyk.
The researcher noticed that previous versions of Windows -- Windows 7 and 8.1 to be precise -- were affected by the vulnerability described as Windows Kernel pool memory disclosure in win32k!NtGdiGetGlyphOutline whereas Windows 10 was not.
Microsoft fixed the issue on Windows 10, while it did not patch it on older versions of Windows. Microsoft added a memset to Windows 10 which prevented the information disclosure on the operating system.
This suggests, according to Jurczyk, that Microsoft identified the issue internally and fixed it on Windows 10, but not on Windows 7 or 8.1.
The vulnerability came to light in 2017 when it was revealed publicly. Microsoft fixed the issue on the September 2017 Patch Day for affected operating systems.
The question that came to Jurczyk mind after discovering that the issue affected only previous versions of Windows was how widespread the issue was.
He used binary diffing, a method to reveal differences between different versions of a single product for that, and analyzed the Windows files ntkrnlpa.exe, win32k.sys, ntoskrnl.exe, tm.sys, win32kbase.sys and win32kfull.sys.
He discovered a large number of differences between Windows 7 and 10, and Windows 8.1 and 10. Windows 7 being the older operating system (compared to Windows 8.1), had more differences when compared to Windows 10 as Windows 8.1.
Quite intuitively, the Windows 7/10 comparison yielded more differences than the Windows 8.1/10 one, as the system progressively evolved from one version to the next. It's also interesting to see that the graphical subsystem had fewer changes detected in general, but more than the core kernel specifically in the syscall handlers.
Google started to investigate these differences and found two new vulnerabilities in the process (the two vulnerabilities that were addressed in the September 2017 Patch Day).
Jurczyk concludes that the focus on patching only the most recent version of a product, in Microsoft's case Windows 10, may be used by malicious actors to find vulnerabilities in older versions of a product.
Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security. This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls.
Microsoft's focus on Windows 10 is quite problematic from a security point of view, considering that all three versions of Windows are still supported by Microsoft, and that Windows 8.1 is still in mainstream support.