Google’s Project Zero researcher Mateusz Jurczyk said in a blog post that Microsoft is putting its Windows 7 users’ security in jeopardy by patching Windows 10 actively but not issuing similar patches for its older siblings.
A common technique called patch diffing, which compares two binary builds sharing the same core code, one with vulnerability and other containing a security fix, is used for finding vulnerabilities and potential attack paths in a software. Jurczyk says patch diffing can be used on software which share the same code and coexist in the market, but are serviced independently by the vendor such as Windows 7, 8 and 10.
The blog post demonstrates the use of patch diffing to find three vulnerabilities CVE-2017-8680, CVE-2017-8684 and CVE-2017-8685 in Windows 7 and 8.1. Project Zero notified Microsoft about the bugs and the bugs were patched in May and September updates. "This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows," Jurczyk writes.
The research also points out the vulnerabilities are not too hard to exploit and could easily be used by non-advanced hackers. Jurczyk said software vendors should make sure that fewer instances of exploits remain, by applying security improvements consistently across all supported versions of their software.
A good reminder to issue critical patch to older systems came in the form of Ransomwares. As Microsoft has stopped support for Windows XP and Server 2003, the company didn’t issue any new patches for latest vulnerabilities, Wannacry and Petya Ransomwares hijacked user’s systems and demanded a ransom amount in order to release the important data.