Though there have been a few stumbles, Microsoft has been very good at keeping its Windows 10 OS secure. It releases regular security patches, fixes bugs in Edge, and consistently introduces new features.

Unfortunately, the same can’t be said for its other OSes. In May, it was criticized for holding back a patch for the WannaCrypt ransomware on XP, and now Windows 7 is in the spotlight.

Google Project Zero researcher Mateusz Jurczyk has highlighted Microsoft’s selective patches, saying it leaves clues for hackers. After a Windows 10 fix, hackers use a technique called binary diffing to discover the weaknesses in older operating systems.

As Windows 10 shares much of its core code with Windows 8 and 7, it leaves them open. With Windows 7 accounting for half of all users, that’s a huge number.

“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bugfixes only to the most recent Windows platform,” Jurczyk explained. “This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”

Zero-Day Exploits Already Found

Jurczyk then went into detail, exposing several zero-day exploits he found using this technique. He found instances of uninitialized kernel memory disclosure, which can be used to bypass kernel ASLR.

What’s more, Jurczyk said the technique “was in fact pseudocode-level diffing that didn’t require much low-level expertise or knowledge of the operating system internals.”

“We hope that these were some of the very few instances of such ‘low hanging fruit’ being accessible to researchers through diffing,” he concludes. “And we encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software.”

You can read more about the issue on the Project Zero blog.

  • Jason

    Wait a minute. Google? The company that stops providing security patches to “old” Android phones? Their policy for security updates is 3 yrs or 18 months after last sold in the play store. How long has Microsoft been supporting Windows 7? Even offering free OS upgrades to 8 and 10 along the way, which certainly blows Google’s 2yr OS upgrade policy out the water.

    Google should probably shut up on this one.

  • Jason

    Also ASLR has been a joke for a long time. Weakly implemented in Linux and and has proven to be of little deterrent. Provides nothing but a false sense of security.

  • Hello There Admin. I am Try To Contact With You By Your Contact Page But Its Not Working. Please Solve It.