Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Varied Patch Process by Microsoft Exposes Windows Users: Google Researcher

Not all Windows releases receive the same treatment when it comes to security patches, leaving some users exposed to known vulnerabilities, security researchers from Google’s Project Zero team warn.

Not all Windows releases receive the same treatment when it comes to security patches, leaving some users exposed to known vulnerabilities, security researchers from Google’s Project Zero team warn.

The researchers explain that, because Microsoft silently patches reported vulnerabilities in major Windows 10 releases, such as the Creators Update or the Fall Creators Update, Windows 8 and Windows 7 users become exposed to vulnerabilities that affect their platform iterations as well.

The issue is that attackers can compare patched Windows 10 builds with the previous, unpatched builds to discover the addressed issues and then target older and still vulnerable platform iterations. By comparing the builds, attackers can discover the vulnerabilities and technical details surrounding them.

Called patch diffing, the technique of comparing binaries is also employed to discover so-called 1-day bugs, or vulnerabilities affecting users who are slow to install security patches, Mateusz Jurczyk of Google Project Zero explains.

Another technique that attackers can use is binary diffing, which allows them to discover differences between “two or more versions of a single product, if they share the same core code and coexist on the market, but are serviced independently by the vendor.”

The Windows operating system is one product binary diffing can be used on, as it currently has three versions under active support, namely Windows 7, 8, and 10. Despite Windows 7 having the largest desktop market share at the moment, at nearly 50%, only the most recent platform iteration is receiving structural security improvements.

“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows,” the security researcher says.

In a blog post, Jurczyk shows how binary diffing was used “to find instances of 0-day uninitialized kernel memory disclosure to user-mode programs.” Such issues can be used in local privilege escalation exploit chains or to expose sensitive data stored in the kernel address space, he argues.

Advertisement. Scroll to continue reading.

“Security-relevant differences in concurrently supported branches of a single product may be used by malicious actors to pinpoint significant weaknesses or just regular bugs in the more dated versions of said software. Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security,” Jurczyk notes.

Contacted by SecurityWeek, a Microsoft spokesperson provided the following statement: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Patches aimed to address the specific vulnerabilities Google’s researcher mentions in his post were released to all supported Windows versions, the Microsoft spokesperson also pointed out.

Related: Microsoft Launches Windows Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.