[German]Google's security researcher Mateusz Jurczyk from Project Zero says, that Microsoft is putting users of Windows 7 and Windows 8.1 at risk, due to inconsistent patching Windows 7, Windows 8.1 and Windows 10.
Advertising
Mateusz Jurczyk's has posted a blog article where he refers to three vulnerabilities discovered by Google and closed with the September patch day for Windows 7 and 8. He analyzed the following vulnerabilities of CVE-2017-8680 and found, that found that the vulnerabilities in Windows 7 and 8 are not present in Windows 10.
Jurczyk writes, that patches for some bugs will bee applied in different ways to each Windows version. By comparing the code in a patch using a technique known as 'binary diffing', he found two other vulnerabilities:
in Windows 7 and Windows 8.1. Both issues affected the Windows GDI+ component, but Microsoft has fixed the issues in the September 2017 Patch Tuesday. His conclusion given here, was:
The aim of this blog post was to illustrate that security-relevant differences in concurrently supported branches of a single product may be used by malicious actors to pinpoint significant weaknesses or just regular bugs in the more dated versions of said software. Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security. This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls. The "binary diffing" process discussed in this post was in fact pseudocode-level diffing that didn't require much low-level expertise or knowledge of the operating system internals. It could have been easily used by non-advanced attackers to identify the three mentioned vulnerabilities (CVE-2017-8680, CVE-2017-8684, CVE-2017-8685) with very little effort. We hope that these were some of the very few instances of such "low hanging fruit" being accessible to researchers through diffing, and we encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software.
The important point, Jurczyk had not mentioned is, that the vulnerable routines in Windows 7 and 8.1 has been completely rewritten in Windows 10. (via)
Advertising
Advertising