HomeWinBuzzer NewsGoogle Project Zero Warns Microsoft about Exclusive Windows 10 Patches

Google Project Zero Warns Microsoft about Exclusive Windows 10 Patches

Microsoft's tendency to focus on Windows 10 security could leave Windows 7 vulnerable, says Google Project Zero researcher Mateusz Jurczyk. He points out several bugs that can be discovered by looking for discovered bugs in older OSes.

-

Though there have been a few stumbles, has been very good at keeping its OS secure. It releases regular security patches, fixes bugs in Edge, and consistently introduces new features.

Unfortunately, the same can't be said for its other OSes. In May, it was criticized for holding back a patch for the WannaCrypt ransomware on XP, and now is in the spotlight.

researcher Mateusz Jurczyk has highlighted Microsoft's selective patches, saying it leaves clues for hackers. After a Windows 10 fix, hackers use a technique called binary diffing to discover the weaknesses in older .

As Windows 10 shares much of its core code with Windows 8 and 7, it leaves them open. With Windows 7 accounting for half of all users, that's a huge number.

“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bugfixes only to the most recent Windows platform,” Jurczyk explained. “This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”

Zero-Day Exploits Already Found

Jurczyk then went into detail, exposing several zero-day exploits he found using this technique. He found instances of uninitialized kernel memory disclosure, which can be used to bypass kernel ASLR.

What's more, Jurczyk said the technique “was in fact pseudocode-level diffing that didn't require much low-level expertise or knowledge of the operating system internals.”

“We hope that these were some of the very few instances of such ‘low hanging fruit' being accessible to researchers through diffing,” he concludes. “And we encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software.”

You can read more about the issue on the Project Zero blog.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.