Security improvements should be a welcome addition to all software, but if they are not also simultaneously backported into its older and still supported versions, they can put many users at risk.
Case in point: Windows
According to Google Project Zero researcher Mateusz Jurczyk, Microsoft is leaving a huge number of users open to attack by failing to pushing out security fixes for Windows 7, 8 and 10 at the same time.
All these Windows version are under active support – Windows 7 should receive security fixes until January 2020, and Windows 8.1 until January 2023. As a matter of fact, Windows 7 still has a nearly 50% share on the desktop market.
The thing that prompted his research was finding that a 0-day uninitialized kernel memory disclosure bug (CVE-2017-8680) has been fixed in Windows 10 but not in Windows 7 and 8.
He used binary diffing – a process of comparing binaries of two or more versions of a single product – to find other discrepancies. He discovered two more bugs (CVE-2017-8684, CVE-2017-8685) that were fixed in some versions of Windows but not others. The latter, for example, was fixed in Windows 8 but not in Window 7.
“Security-relevant differences in concurrently supported branches of a single product may be used by malicious actors to pinpoint significant weaknesses or just regular bugs in the more dated versions of said software. Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security,” Jurczyk pointed out.
Not just a Microsoft problem
The “binary diffing” process he used didn’t require much low-level expertise or knowledge of the operating system internals, he noted, and said it could have been easily used by non-advanced attackers to identify the same three vulnerabilities “with very little effort.”
Even though he singled out Microsoft in his research, and noted that “Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bugfixes only to the most recent Windows platform,” he pointed out that all software vendors should make sure that security improvements are applied consistently across all supported versions of their software.
Failing to do that creates a false sense of security for users of the older systems/software, and “leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”