Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7

Posted by Soulskill on from the probably-not-fixing-them-in-win-95-either dept.

mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"

12 of 218 comments (clear)

  1. This makes sense... by Anonymous Coward · · Score: 5, Informative

    Windows Sustained Engineering is a different org across the street with different funding and goals, and they don't automatically fix all of the bugs the Windows feature teams fix. There's a triage process for deciding whether bugs are important enough to fix in downlevel releases.

    1. Re:This makes sense... by ElPerezoso · · Score: 5, Informative

      This. And there's no evidence that these changes correspond to exploitable security vulnerabilities. If you look at the slides, what they're actually complaining about is that certain OS code paths have been updated to use intsafe.h/strsafe.h functions in Windows 8, but not in Windows 7. Because intsafe/strsafe are used to help avoid overflow vulnerabilities, the conclusion the article draws is that these must be actual vulnerabilities, which are being fixed in Windows 8 without being ported to Windows 7.

      It's worth noting that the entire presentation that the article is based on is an advertisement for their DiffRay diffing tool, so they have some incentive to overstate things. It's entirely possible that the changes that they're pointing out as "fixing potential 0-days in 8 but not 7" are actually just moving a couple of bounds checks from ad-hoc implementations in the functions themselves to the standardized common intsafe calls. Or it could be that there is already correct bounds enforcement elsewhere, and these checks are just added for redundancy, or to make function-local static analysis a little bit cleaner. I honestly don't know, but there are enough plausible benign explanations that the alternative of "Microsoft is deliberately exposing its largest set of customers to vulnerabilities" seems kind of absurd. Bring me the extraordinary evidence for this claim.

      Disclosure: I'm a dev on the Windows team. I don't have any specific knowledge of this, and I'm not writing this in any official or compensated capacity.

  2. Dear Microsoft.... by DigitalSorceress · · Score: 5, Funny

    Dear Microsoft,

    Dear gods, please catch a ride on the clue train. Businesses don't want Windows 8 - the retraining necessary is just too costly, and all the cool features involving touch are useless for the cube farm drones.

    So just stop your stupid shit, realize the Windows 7 is your nex XP, make sure that Windows 9 undoes a lot of the silly bullshit, and maybe you won't completely jump the shark.

    Um also while I (fail to) have your attention - the Ribbon is still stupid. Stop wasting my screen real estate and go back to proper menus. // yeah I know it's a pipe dream, but I needed to rant and rage.

    --

    The Digital Sorceress
    1. Re:Dear Microsoft.... by Cley+Faye · · Score: 5, Informative

      You're very wrong when you say "all the cool features involving touch are useless for the cube farm drones."

      After having played with a surface tablet and an "embedded" windows 8 computer (those things that combine the computer and the screen), I can tell you this about the touch features: they are broken by design, gets in the way of doing things (even moving a file is more complicated than using a mouse, and why doesn't the keyboard pop up when hitting a textbox?), and as such are useless for everyone, not just the cube farm drones.

    2. Re:Dear Microsoft.... by savuporo · · Score: 5, Funny

      Dear Microsoft,

      Please make Windows 9 touch only, do not give anyone any menu, use the well known principle of most surprise for the user interface design, break all possible APIs, come up with another Uncommon Language Runtime, force me log into everything with the same username and password security be damned, put Bing on the way of actually getting to internet and if you could Ribbon me another two three screenfuls, all would be dandy.

      Only by implementing these urgent measures will you guarantee your local fanbase of 2 people will stay very loyal. And the rest can move on to better things and world will be a better place.

      Thanks,
      Your local detractor.

      --
      http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
  3. Nope, not gonna downgrade to Windows 9 by penguinoid · · Score: 5, Interesting

    Sorry Microsoft, people use your product for two reasons: 1) it's well entrenched 2) it's easy to use and familiar. If you want them to switch from win 7 to win 8, you have to do it by ruining the usability of win 7, not its security.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  4. Re:Shoddy Ethics by Anonymous Coward · · Score: 5, Insightful

    Windows 7 is still supported, so doing this now isn't shoddy ethics, it's a breach of contract. If they think that having shorter support periods will drive more sales, then have to start with Windows 9.

  5. Re:It's Time To Move On. by LordLimecat · · Score: 5, Interesting

    Richard Stallman is full of crap if he is claiming that Windows is endemically, technically less secure. Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012).

    This could turn into a debate lasting days, but suffice it to say that from a technical level Windows is pretty secure. 90% of all exploits these days hit third-party applications that also happen to run on Linux and OSX (flash, java, adobe reader). Im sure Stallman would rail against those too, and he would actually be right, but the point is that the vast majority of users need those plugins and he is being deceitful if he is attempting to paint the various Flash player exploits as problems with Windows, or as problems endemic to Closed Source Software.

    And you, too, have a bit of gall posting this, after some of the hugest security holes to hit the net were just released, both affecting OSS. Ideology is great until you hit the real world, and realize that things are never as simple as "I hate Microsoft, therefore Windows is technically bad", or "Closed source software has trust issues, therefore all OSS is inherently more secure". My hope is that all who take this like will grow up and abandon their zealotry before they enter the workforce.

  6. Re:Shoddy Ethics by Poingggg · · Score: 5, Funny

    Breach of ethics is not possible for Microsoft: They never had any to break in the first place.

    --
    What person will donate an airborne act of love?
  7. Re:It's Time To Move On. by RR · · Score: 5, Insightful

    Richard Stallman is full of crap if he is claiming that Windows is endemically, technically less secure. Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012). This could turn into a debate lasting days, but suffice it to say that from a technical level Windows is pretty secure.

    You totally misunderstand Stallman's point. Stallman is not arguing that open source leads to better quality software. That would be Eric Raymond. Stallman is arguing that you can't trust Microsoft. More of an Auguste Kirchhoffs interpretation. And I don't see what OSX has to do with free software.

    Stallman objects to closed source philosophically, and Windows especially. In addition to being proprietary, Stallman is arguing that Windows has features to report your use of Microsoft software and potentially lock you out (Windows Activation), to add or delete software without warning (Windows Update), to track you across any device around the world (Microsoft Account), and to keep you from using the computer in inappropriate ways (Protected Media Path, Driver Signing, Secure Boot). I don't see how he's wrong.

    Somebody in the Chinese government seems to have noticed, and is now trying to get Windows banned there.

    My hope is that all who take this like will grow up and abandon their zealotry before they enter the workforce.

    "The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man." - George Bernard Shaw

    --
    Have a nice time.
  8. Re:I absolutely HATE to say this but... apk by Opportunist · · Score: 5, Insightful

    MS is the IBM of the new century. No, really.

    IBM was the "computer company" up 'til about the 1980s. You could simply not ignore IBM if you had anything to do with computers in a way that goes beyond hobbyist interests. You had a company and that company used computers? You had IBM. You might have had some other tools and toys, but the core of your computer system, the backbone, the framework and pretty much everything that was relevant to actually getting and keeping your computer system running was IBM.

    This of course led to some serious hubris by IBM. The same "my way or the highway" attitude you can see in MS today. We tell you what you buy and you will eat our shit and call it chocolate fudge. I guess it goes without say that this didn't really sit too well with the various companies, but, well, what can you do? If you need computers in your company, you can't ignore IBM.

    Times changed and PCs came, and IBM ignored them as petty machines that don't fit their paradigm of the mainframe - terminal ideal. They did enter the PC market halfheartedly, but when they noticed that the PC is here to stay, they tried to regain control over it. The MCA illustrates this very well. It was a bus vastly superior to the (then standard) ISA bus. Their licensing practice ignored completely the emerging PC clone market, though, the market that became more and more important as small companies and private people wanted to use PCs and considered money a deciding factor for the choice of computers. Add that companies so far using IBM wanted to get out of their stranglehold and one can easily see why the "clones" became more and more popular and why a bus that was at least on par with the later very popular PCI bus never became popular or widely supported by third party manufacturers.

    MS is now following that "my way or the highway" hubris. I guess they need to learn it, too, that you can only force people to drink your cool-aid as long as they don't have an alternative.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:It's Time To Move On. by SeaFox · · Score: 5, Insightful

    Richard Stallman is full of crap if he is claiming that Windows is endemically, technically less secure. Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012).

    Yes, and OSX falling first had nothing to do with the participants specifically targeting it. I mean, they would have nothing to gain from focusing their efforts on a single operating system, like the bragging rights of hacking a supposedly "secure" platform, or taking Macintosh snobs down a notch, or winning a $2000 Mac laptop instead of a $500 Dell. No siree.