Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7

mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"

It's Time To Move On.

"People are aware that Windows has bad security but they are underestimating the problem because they are thinking about third parties. What about security against Microsoft? Every non-free program is a 'just trust me program'. 'Trust me, we're a big corporation. Big corporations would never mistreat anybody, would we?' Of course they would! They do all the time, that's what they are known for. So basically you mustn't trust a non free programme."

"There are three kinds: those that spy on the user, those that restrict the user, and back doors. Windows has all three. Microsoft can install software changes without asking permission. Flash Player has malicious features, as do most mobile phones."

"Digital handcuffs are the most common malicious features. They restrict what you can do with the data in your own computer. Apple certainly has the digital handcuffs that are the tightest in history. The i-things, well, people found two spy features and Apple says it removed them and there might be more""

From:

Richard Stallman: 'Apple has tightest digital handcuffs in history'
www.newint.org/features/web-exclusive/2012/12/05/richard-stallman-interview/

Re:It's Time To Move On.

[msobkow]

The question is not just whether an OS is secure, but how long it takes for patches to be rolled out. While Microsoft often sits on their laurels when it comes to releasing patches, the king of procrastination is Oracle, which has left known issues in the wild for decades.

Still, I don't disagree with the general intent of your post, which I read as "closed source is not necessarily worse than open source." But that's only up to a point -- timely patches are critical to maintaining the security of a system, and when Microsoft purposely omits patches for downlevel releases that are still under support, they do a great disservice to their customers, to the 'net community as a whole, and to their own reputation and therefore bottom line.

Re:It's Time To Move On.

[RR]

Richard Stallman is full of crap if he is claiming that Windows is endemically, technically less secure. Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012). This could turn into a debate lasting days, but suffice it to say that from a technical level Windows is pretty secure.

You totally misunderstand Stallman's point. Stallman is not arguing that open source leads to better quality software. That would be Eric Raymond. Stallman is arguing that you can't trust Microsoft. More of an Auguste Kirchhoffs interpretation. And I don't see what OSX has to do with free software.

Stallman objects to closed source philosophically, and Windows especially. In addition to being proprietary, Stallman is arguing that Windows has features to report your use of Microsoft software and potentially lock you out (Windows Activation), to add or delete software without warning (Windows Update), to track you across any device around the world (Microsoft Account), and to keep you from using the computer in inappropriate ways (Protected Media Path, Driver Signing, Secure Boot). I don't see how he's wrong.

Somebody in the Chinese government seems to have noticed, and is now trying to get Windows banned there.

My hope is that all who take this like will grow up and abandon their zealotry before they enter the workforce.

"The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man." - George Bernard Shaw

Re:It's Time To Move On.

[symbolset]

The problem appears to be that if you choose Microsoft you are going to get this OS migration hassle anyway, on a regular recurring cycle, because their business model requires it. So if you are migrating OS anyway you may as well do it right once, leave them, and be done with that hassle forever.

Re:It's Time To Move On.

[SeaFox]

Richard Stallman is full of crap if he is claiming that Windows is endemically, technically less secure. Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012).

Yes, and OSX falling first had nothing to do with the participants specifically targeting it. I mean, they would have nothing to gain from focusing their efforts on a single operating system, like the bragging rights of hacking a supposedly "secure" platform, or taking Macintosh snobs down a notch, or winning a $2000 Mac laptop instead of a $500 Dell. No siree.

Re:It's Time To Move On.

[LordLimecat]

Hes not wrong, except he beats a dead horse. Everyone knows what Windows activation is, that you cant patch Windows yourself, that you cant inspect the code.

Incidentally Driver Signing and Secure Boot can both be turned off, and theyre not to stop you from misusing your computer. You (he) might as well complain that AppLocker or Software Restriction Policies are draconian DRM-- except theyre really not, theyre a mechanism to harden the OS.

>>(Quote)

Stallman takes his ideology so far that he becomes completely irrelevant. I know of noone outside of the OSS movement (and surprisingly few in it) that actually take him seriously-- he goes so far off the deep end that hes managed to alienate a full half of the Unix userbase as well.

Re:It's Time To Move On.

[LordLimecat]

Pwn2Own was useful because the common claim was that it wasnt just the huge userbase of windows that attracted exploit writers. but that it was that Windows was actually less secure than OSX. But when a shiney new laptop is on the line, people had no problem getting root. You can argue that OSX had 9 root-level exploits and Windows had 10 in any given competition-- but its sort of a moot point. By far and away the biggest factor in what systems get exploited is monetary gain and return on investment.

Id also note that, in the actual real world, somethin like 85-90% of exploits are non-OS-- theyre browser or browser plugin exploits. The only people arguing that Windows is more vulnerable to viruses are people with no friggin clue. Remove Java and virus incidence goes down like 50%.

Naturally, they've done it before

[Todd+Knarr]

This is just an extension of the kind of coerced upgrade Microsoft's attempted before. With Vista and then with Win7, when they didn't take off on their own MS tried to force the issue by making the latest versions of IE and DirectX and such only available for Vista/7, not XP. This is the same thing: "Upgrade to Win8 or take the heat for running a vulnerable OS.". Thing is, it'll backfire the same way the "no latest DirectX on XP" did. Win7's such a large base that developers can't afford to write code that won't run on it, so they won't be able to use the new Win8-only safe functions. Which means applications will remain vulnerable on Win8, just like on Win7 where they also run.

Re:Two bits to say here

I believe that the updates have not been applied to Windows XP. There was a point in time when Win7 was being updated but XP was not getting those updates.
The only significance I'm seeing in this is that WIn7 is still within its support period. Still, this could make some sense if the new security implementations actually rely on technology foundations that are actually built into Windows 8 but which are not a part of Windows 7. That's one possibility that would make some sense.
Unfortunately, Microsoft may feel an incentive to categorize updates as being appropriate only for Windows 8, simply in hopes of driving people away from older operating systems.

Rant: It's not like updating only Windows 8 is sufficiently convincing to get people to move from Windows 7 to Windows 8. Even if Microsoft refused to fix a terrible flaw threatening Windows 7 machines, that doesn't mean I would worsen the situation by going to Windows 8.1 or, even worse, Windows 8. Like Vista, Windows 8 (including 8.1) is condemned to be something that should be skipped. Hopefully Windows 9 will be less useless.

Article is dumb.

[Kaenneth]

These are mostly new functions added for Windows 8, they don't exist in the Windows 7 SDK.

If you wrote your programs to use them, they wouldn't work on 7, only 8, which everyone seems to hate.

If MS added them to a patch for 7, there would then be 2 fragmented versions of Windows 7, so if a customer calls you asking if your software works on Windows 7, you would have to ask if they have installed KB######, and they would say 'I don't know.', or they might lie and say yes, or no, and you'll have to walk them through checking installed Windows updates...

Re:Shoddy Ethics

Windows 7 is still supported, so doing this now isn't shoddy ethics, it's a breach of contract. If they think that having shorter support periods will drive more sales, then have to start with Windows 9.

Re:Still sticking with XP...

[Mashiki]

Yep, Windows 7 and XP are so fundamentally different in terms of the UI that it *might* have taken you all of 15 minutes to learn the differences.

And of course if it was Windows 8, it might have taken you all of 10 minutes to install a UI shell which would have made the experience exactly the same. Then again if your internet is the equivalent of a string between two cans, I can see it taking 2-3 days to find this out.

Re: Two bits to say here

[binarylarry]

Hopefully Google, Apple and Canonical find a way to replace Microsoft products before Windows 9 ships.

Squeeze blood from the rocks!

[Your+Average+Joe]

I say de-support all OSes but Windows Server 2012r2 and Windows 8.1 x64!

Force all users to buy the latest OS and use it! I am sure the shareholders will LOVE that card trick.

Re: Two bits to say here

[symbolset]

1.2 billion smart devices shipped without Windows last year, and more than that number will ship this year, making over 2.5 billion devices shipped in only two years and likely still in use. There are only 7 billion humans and two thirds of them are too impoverished, young, old or uninterested to be in the market for such things. So this event you are hoping for appears to have already happened.

Re:I absolutely HATE to say this but... apk

[Opportunist]

MS is the IBM of the new century. No, really.

IBM was the "computer company" up 'til about the 1980s. You could simply not ignore IBM if you had anything to do with computers in a way that goes beyond hobbyist interests. You had a company and that company used computers? You had IBM. You might have had some other tools and toys, but the core of your computer system, the backbone, the framework and pretty much everything that was relevant to actually getting and keeping your computer system running was IBM.

This of course led to some serious hubris by IBM. The same "my way or the highway" attitude you can see in MS today. We tell you what you buy and you will eat our shit and call it chocolate fudge. I guess it goes without say that this didn't really sit too well with the various companies, but, well, what can you do? If you need computers in your company, you can't ignore IBM.

Times changed and PCs came, and IBM ignored them as petty machines that don't fit their paradigm of the mainframe - terminal ideal. They did enter the PC market halfheartedly, but when they noticed that the PC is here to stay, they tried to regain control over it. The MCA illustrates this very well. It was a bus vastly superior to the (then standard) ISA bus. Their licensing practice ignored completely the emerging PC clone market, though, the market that became more and more important as small companies and private people wanted to use PCs and considered money a deciding factor for the choice of computers. Add that companies so far using IBM wanted to get out of their stranglehold and one can easily see why the "clones" became more and more popular and why a bus that was at least on par with the later very popular PCI bus never became popular or widely supported by third party manufacturers.

MS is now following that "my way or the highway" hubris. I guess they need to learn it, too, that you can only force people to drink your cool-aid as long as they don't have an alternative.