Windows 10 patching could make older systems vulnerable

Microsoft's practice of automatic Windows 10 patching could be uncovering vulnerabilities in older systems that can be exploited by attackers, Google researchers said.

Researchers said Microsoft's practice of prioritizing Windows 10 patching might have a negative effect on older supported systems if fixes aren't made available at the same time.

Mateusz Jurczyk, security researcher for Google Project Zero, said Microsoft's practice of pushing software fixes for Windows 10 first could allow malicious actors to find those same vulnerabilities in older versions of Windows, and this becomes a problem if Microsoft doesn't also release patches for those systems.

Jurczyk said malicious actors will often reverse-engineer a patch to find the initial flaw and find that same vulnerability in an unpatched system by comparing code between systems (patch diffing) or different versions of products (binary diffing). Jurczyk said this is especially dangerous when Microsoft prioritizes Windows 10 patching over older supported systems.

"While Windows 7 still has a nearly 50% share on the desktop market at the time of this writing, Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bugfixes [sic] only to the most recent Windows platform," Jurczyk wrote in a blog post. "This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows."

How Windows 10 patching uncovered older flaws

Jurczyk went on to detail how Windows 10 patching allowed Project Zero to find a Windows kernel memory disclosure flaw in older systems.

"Considering how evident the patch was in Windows 10 (a completely new memset call in a top-level syscall handler)," Jurczyk wrote, "I suspected there could be other similar issues lurking in the older kernels that have been silently fixed by Microsoft in the more recent ones."

In a May disclosure of the issue, Jurczyk noted evidence suggesting "the issue was identified internally by Microsoft, but only fixed in Windows 10 and not backported to earlier versions of the system."

Although the Windows 10 patching was done quietly earlier in the year, Microsoft didn't release patches for Windows 7 or Windows 8 until September's Patch Tuesday.

Microsoft has been vocal about wanting enterprise users to move to automatic Windows 10 patching with three update branch options, rather than waiting for the monthly Security Update Guide releases, but users have been hesitant due to fears about patches causing more issues.

Windows 7 is due to receive Microsoft support until January 2020 and Windows 8.1 until January 2023.

Microsoft did not respond to requests for comment at the time of this post.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing