Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7 218
mask.of.sanity sends this news from El Reg:
"Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"
This makes sense... (Score:5, Informative)
Windows Sustained Engineering is a different org across the street with different funding and goals, and they don't automatically fix all of the bugs the Windows feature teams fix. There's a triage process for deciding whether bugs are important enough to fix in downlevel releases.
Don't Tell Me This (Score:5, Informative)
I don't want to hear this. I just finished the migration from XP to Win7.
Do not want to go through that again for another 6 years.
Re:Dear Microsoft.... (Score:5, Informative)
After having played with a surface tablet and an "embedded" windows 8 computer (those things that combine the computer and the screen), I can tell you this about the touch features: they are broken by design, gets in the way of doing things (even moving a file is more complicated than using a mouse, and why doesn't the keyboard pop up when hitting a textbox?), and as such are useless for everyone, not just the cube farm drones.
Re:This makes sense... (Score:5, Informative)
This. And there's no evidence that these changes correspond to exploitable security vulnerabilities. If you look at the slides, what they're actually complaining about is that certain OS code paths have been updated to use intsafe.h/strsafe.h functions in Windows 8, but not in Windows 7. Because intsafe/strsafe are used to help avoid overflow vulnerabilities, the conclusion the article draws is that these must be actual vulnerabilities, which are being fixed in Windows 8 without being ported to Windows 7.
It's worth noting that the entire presentation that the article is based on is an advertisement for their DiffRay diffing tool, so they have some incentive to overstate things. It's entirely possible that the changes that they're pointing out as "fixing potential 0-days in 8 but not 7" are actually just moving a couple of bounds checks from ad-hoc implementations in the functions themselves to the standardized common intsafe calls. Or it could be that there is already correct bounds enforcement elsewhere, and these checks are just added for redundancy, or to make function-local static analysis a little bit cleaner. I honestly don't know, but there are enough plausible benign explanations that the alternative of "Microsoft is deliberately exposing its largest set of customers to vulnerabilities" seems kind of absurd. Bring me the extraordinary evidence for this claim.
Disclosure: I'm a dev on the Windows team. I don't have any specific knowledge of this, and I'm not writing this in any official or compensated capacity.
Re:Shoddy Ethics (Score:2, Informative)
No, it's a breach of law meaning it can be taken to court. A breach of ethics doesn't necessarily allow that unless what they're doing is not only unethical but also unlawful due to existing laws.
Cutting off support for software isn't against the law unless you were promised updates for a specific longer term of support. Which was given with Windows 7. If there wasn't a promised amount of time for updates/patches promised beforehand, it'd just be a dick move.
Re:It's Time To Move On. (Score:5, Informative)
Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012).
Do you remember how Pwn2Own worked? Obviously not. It was turned based not race based meaning a team/person was selected to try their exploit first before any other team. And the team got to select which system they tried because they got to own that system.
If that team did not succeed, the next team got a try. Of course, teams would try systems they both wanted and had exploits. No one picked a system they didn't want. Most often it was OS X first on the first try. But Windows systems also fell on their first try. Almost never did a Linux system fall. In fact, many times, a Linux system was never attempted.
And it was never fully patched system. The systems were also fixed at a certain date prior to the contest so that the teams had a chance to attack it. Sometimes the exploits had been patched already.