News Stay informed about the latest enterprise technology news and product updates.

Windows 10 patching could make older systems vulnerable

Microsoft's practice of automatic Windows 10 patching could be uncovering vulnerabilities in older systems that can be exploited by attackers, Google researchers said.

Researchers said Microsoft's practice of prioritizing Windows 10 patching might have a negative effect on older supported systems if fixes aren't made available at the same time.

Mateusz Jurczyk, security researcher for Google Project Zero, said Microsoft's practice of pushing software fixes for Windows 10 first could allow malicious actors to find those same vulnerabilities in older versions of Windows, and this becomes a problem if Microsoft doesn't also release patches for those systems.

Jurczyk said malicious actors will often reverse-engineer a patch to find the initial flaw and find that same vulnerability in an unpatched system by comparing code between systems (patch diffing) or different versions of products (binary diffing). Jurczyk said this is especially dangerous when Microsoft prioritizes Windows 10 patching over older supported systems.

"While Windows 7 still has a nearly 50% share on the desktop market at the time of this writing, Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bugfixes [sic] only to the most recent Windows platform," Jurczyk wrote in a blog post. "This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows."

How Windows 10 patching uncovered older flaws

Jurczyk went on to detail how Windows 10 patching allowed Project Zero to find a Windows kernel memory disclosure flaw in older systems.

"Considering how evident the patch was in Windows 10 (a completely new memset call in a top-level syscall handler)," Jurczyk wrote, "I suspected there could be other similar issues lurking in the older kernels that have been silently fixed by Microsoft in the more recent ones."

In a May disclosure of the issue, Jurczyk noted evidence suggesting "the issue was identified internally by Microsoft, but only fixed in Windows 10 and not backported to earlier versions of the system."

Although the Windows 10 patching was done quietly earlier in the year, Microsoft didn't release patches for Windows 7 or Windows 8 until September's Patch Tuesday.

Microsoft has been vocal about wanting enterprise users to move to automatic Windows 10 patching with three update branch options, rather than waiting for the monthly Security Update Guide releases, but users have been hesitant due to fears about patches causing more issues.

Windows 7 is due to receive Microsoft support until January 2020 and Windows 8.1 until January 2023.

Microsoft did not respond to requests for comment at the time of this post.

Next Steps

Learn tips on configuring surefire Windows 10 security settings.

Find out three basic Windows 10 security tips.

Get info on the Windows 10 update process.

Dig Deeper on Microsoft Patch Tuesday and patch management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think of Microsoft's patching policy?
The people using older OS's should be upgrading at this point. If those folks refuse to upgrade then they deserve to get what's coming to them. Windows 10 was a free upgrade and people refused so its now on the user. Windows 10 has also had 3 major updates which added features and fixed bugs so again its the users fault if the older OS gets nailed by an attacker.
Sorry I do not agree with your post. No need to upgrade your OS until it is not supported by Microsoft. There are so many features in Windows 10 I do not like. 
I disagree even if you don't like the features does not mean somebody else does not. Windows isn't just made just for you its for the masses. TLS 1.2 BARELY got updated for Windows 7 which is a huge security bump to the positive. Windows 7 and 8 does not support Directx 12 but since Vulkan is taking off the importance is diminishing. Windows 10 run Linux sub routines which make Windows 10 more stable with overall better security. Windows 10 IS an upgrade over previous OS's but the problem is not the OS its the people to lazy or complacent to make the change. If Windows would and could I suggest dropping Windows 7 altogether now and stop supporting the past and move on to the future. However, I plan to ditch Windows entirely and go to Linux soon so whatever. Linux is free with far better security and privacy. Gaming is becoming a thing for Linux now even though the adoption is still a bit slow.
In Windows 10, Microsoft is creating a massive risks to users and a burden for itself. By having three different strands of updates in Windows 10 Microsoft is clearly spreading its remedial resources so thin that it can't maintain older products that it claims to support.

The Windows 10 philosophy of introducing new features before fixing known errors means that Marketing has completely compromised Quality Assurance -- and to suggest that Windows 7 users should move promptly to Windows 10 is a dangerous, ill-founded policy.

Please, Microsoft, stop this approach before you ruin yourself and the whole community of Windows users.