Question of the Fortnight
Google accuses Microsoft of leaving clues for hackers
Do Windows 10 fixes leave W7 & W8.1 unsafe?
The highlight of any hacker’s day is finding a security flaw in widely used software. One method they use is ‘binary diffing’, which is looking for fixes in new versions of a program in order to identify weaknesses in older versions. If the software developer doesn’t quickly apply the fix to the old version, the hacker can strike.
Microsoft is guilty of this poor practice, Google says. A researcher for the latter’s Project Zero security team claims that Microsoft updates Windows 10 without updating 7 and 8.1, in effect leaving clues for hackers to follow. Writing on the Project Zero blog ( www.snipca.com/25931), Mateusz Jurczyk said Microsoft creates “a false sense of security for users of the older systems”, leaving them vulnerable to flaws that can be located “merely by spotting subtle changes in the corresponding code in different versions of Windows”.
Jurczyk’s team found several flaws in Windows 7 and 8.1 that had already been fixed in Windows 10. They weren’t hard to find, he said. In September Microsoft eventually fixed the vulnerabilities, four months after being told about them by Google. This highlights Project Zero’s controversial policy of reporting flaws to companies, then giving them 90 days to release a fix. If this deadline passes, Google goes public with the flaw, a move critics slam as irresponsible because hackers can use the info to launch attacks. Others insist that Google’s ruthless policy maintains high standards across the tech industry.
Jurczyk said he hoped these flaws were some of only a “very few instances” of binary diffing. He also urged software developers to apply security fixes across all versions they support – and that’s a crucial point. Microsoft’s ‘Windows lifecycle fact sheet’ ( www. snipca.com/25932) states that it will support Windows 7 and 8.1 until January 2020 and 2023 respectively. There’s no mention that these operating systems won’t receive the same fixes as Windows 10.
This matters because Windows 7 is still the world’s most popular operating system, running on almost 44 per cent of Windows computers according to new figures from analysts Statcounter ( www.snipca. com/25933). Add Windows 8.1’s nine per cent, and more than half of all Windows users are running an operating system that Microsoft shows signs of neglecting.
A cynic digging deeper into Statcounter’s data might find a reason for Microsoft’s behaviour. The trend shows that Windows 10, currently running on 39 per cent of computers, will overtake Windows 7 in December.
Microsoft will be pleased, but it expected this to happen sooner. When it launched Windows 10 in July 2015, Microsoft aimed to have it installed on one billion devices in two to three years. To hit this target, its developers are under pressure to upgrade Windows 10 at a greater pace, tweaking it to make it faster,
and eliminating security bugs. Microsoft can then promote Windows 10 as ‘new and improved’, not caring – so it appears – that 7 and 8.1 users suffer.
Microsoft’s response to Jurczyk’s claim wouldn’t change a cynic’s mind. It said that while it is committed to investigating reported security problems and updating computers “as soon as possible”, it also recommends people use Windows 10 and its Edge browser “for the best protection”. It seems that all operating systems are equal, but some are more equal than others.
More than half of all PC users are running an operating system Microsoft seems to be neglecting