Microsoft is patching Windows 8 but NOT Windows 7

[PaulGo]

Redmond is patching Windows 8 but NOT Windows 7, say security bods

Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems.
Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities.


The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks.

Redmond is patching Windows 8 but NOT Windows 7, say security bods ? The Register

 

[ThrashZone]

It's always a risk to have open apps with a constant feed win-8 is pretty much on steroids as far as constant feeds,
I can't say windows 7 type of apps/programs/toolbars are much different security wise,
Best is to do without them and use them as a site you access like a home page or favorite ?

Sync has always I've thought to be the new biggest security hole waiting to be exploited / Onedrive desktop/ Dropbox../.....
Cloud.../ websites Share this and that
Nothing is 100% secure and the disclaimers usually point that out,
But Microsoft abandoning win-7 ?
Cheers.

 

[A Guy]

http://www.sevenforums.com/security...ws-8-but-not-windows-7-say-security-bods.html

A Guy

 

[RoasterMen]

They can abandon Windows 7 and loose their money and their trust from their customers or continue the updates for Windows 7 because W7's lifespan is still a bit long :\

 

[jimbo45]

Hi there

You need to understand the basic difference in how security works between W7 and W8. In W8 itself it is built in to the kernel and several modules . Windows defender (confusing as this is NOT the same as Windows defender in W7) which is really a re-write of Ms Security essentials but built in to the kernel is patched daily.

Windows 7 relies more on EXTERNAL / 3rd party packages for security so it's up to the security vendor to supply patches to those. Ms will of course patch its own products such as MSE (Microsoft security essentials) and IE.

I doubt if W7 is essentially more insecure than W8.1 currently -- patches, time lines for these patches and modules to be patched cannot be equated on the whole with the same set used in W8.1

W7 being used by enterprises much more than W8.1 will certainly for the immediate future not be left vulnerable to the latest hacks - however Ms can't be responsible for any weaknesses / loopholes caused by badly written 3rd party programs.

W8 / W8.1 has types of "always active" apps (metro etc) so security for ensuring those types of things are safe operates totally differently from W7 which is in essence a "static" OS in that you rarely have loads of apps integrated into the OS which are running constantly - excluding system tasks etc.

Cheers
jimbo

 

[Britton30]

MS is in fact, updating w7, I just installed 14 updates, 9 of which are security related to the OS, the rest for Office stuff.

Jimbo, can you explain "kernel" so my 3 brain cells can comprehend it? I see the word bandied about all the time.

 

[Indianatone]

I suspect some of the things that are being patched in Windows 8 / 8.1 and not in Windows 7 do not exist in Windows 7 or Vista. For example the metro ecosystem. The whole report is a load of tosh.

 

[jimbo45]

MS is in fact, updating w7, I just installed 14 updates, 9 of which are security related to the OS, the rest for Office stuff.

Jimbo, can you explain "kernel" so my 3 brain cells can comprehend it? I see the word bandied about all the time.

Hi there.

Trying to explain Operating systems in a few words is a problem -- however an OS consists of basically a TASK manager which handles all its central functions like managing memory / paging / I/O calls etc and an interface which application programs ("apps") - things like say your DVD player software or E-mail call to execute.

The kernel is essentially the main core of the operating system which runs and controls all the processes happening in the computer.

Normally the System services and programs run in "protected mode" -- normal "User programs" (your Apps) can't run in this mode - and these programs are normally part of the kernel - or the central program which is always running in your system. For example when you type something on a keyboard the operating system has to have a program that knows exactly when the keyboard is used and what it has to do. (In technical terms this is called "an Interrupt" and the Interrupt manager in the OS will depending on the type of action required call the relevant application to handle the request - for example keyboard input / disk I/O / Screen display etc).

For example after booting Windows you can start an application -- so you must have some program running which is looking or waiting for a command to start your application. After booting you might not enter anything for 30 mins -- but there must be an underlying process running which is notified as soon as you make a mouse click / a keyboard stroke.

Your application isn't concerned with memory management / I/O etc etc. The Operating system ensures that applications run and use their own areas and data from one application isn't corrupted with data from another.

Operating systems are very COMPLEX and to describe them properly goes way beyond the scope of this post. A bit of googling should give you further info.

Cheers
jimbo

 

[Kevin 7]

If you have problems installing certain updates for windows 7 operating systems, MS will try and tell you the problem is with you and your computer. Most of the time this is not true. If it's just one update or even two out of many, the problem is with MS. It's not you. It's still a good idea to to run chkdsk in cmd just to make sure and run a good full security scan with your security provider. You can fix most problems with cmd. Wait a while...a week or two and MS will eventually fix the error. Chances it's not just you but a lot of people going through the same thing. MS is now geared up for windows 8 and those of us with 7, vista or xp take a back seat.

 

[Cr00zng]

While the kernel does manage memory addresses for applications, the actual memory size and what's written there is controlled by the application in question. The kernel basically allocates the memory buffer, or heap, as requested by the application and the application controls what's written in this buffer. If the size of data being written is greater than the buffer allocation size, then the buffer overflow will take place. And that's not a good thing. The intentionally triggered buffer overflow can crash the system in good case. In bad case, the buffer overflow is used to execute arbitrary code that compromises the system.

Most applications are developed in C/C++ language, that has no built-in routine/function to check/restrict memory buffer boundaries. The developers are suppose to write their own routine that performs this function, but that does not happen all the times.

The Windows SDK, that includes C/C++, has built-in routines for application developers to enforce the memory buffer boundaries, so they don't need to write their own. What the article is complaining about is the difference between intsafe.h (SDK 7 for W7) and strsafe.h (SDK 8 for W8) libraries. Comparing these libraries is pretty much irrelevant, as far as the status of the security patch is concerned for the indicated OS.

As more and more buffer overflow technology utilized by hackers become known, the more "safe functions" will be added to the SDK libraries. Some of them will be forward looking only, while others may make it to the previous version to SDK libraries. This could be a decision based on compatibility and not an intent of abandoning previous OS versions, that are still supported.

The programming error resulting in buffer overflows is the main reason why I use MS EMET 5.0. EMET protects the OS, applications, and browsers against 13 known buffer overflow technologies. Will it protect against all of them? Well, no... There's nothing that programmatically can protect your system against a programmer error...

 

[jimbo45]

Hi there

Shows IBM were great all those years ago when they developed the MVS/370 system for their mainframes. There was a protected mode command that could ONY be executed by the "Nucleus" or kernel that flipped a "PSW" bit to a 0 or 1 which told the system whether the application was running in "Protected mode" or in "application mode".

If the application was a non IBM authorized routine it could not issue a status change to the PSW (Program Status Word) so it couldn't allocate its own memory etc but had to stick totally within application areas.

S/370 Assembler Tutorial - Introduction to S/370 Principles of Operation - Part Three - Chapter 4 - Control

For anybody wanting to learn about OS design the IBM MVS/370 is an excellent start as it still embodies good OS design - even after all these years - including Virtual memory and I/O management. Modern OS'es often are based on the old IBM MVS/370 principles.

(@all younger readers -- nothing wrong in learning from solid older applications --IBM MVS/370 is a classic in OS design -- same way that modern Road / Highway construction takes many elements from Ancient Roman Engineering -- although obviously not basing manpower requirements on the slavery principle they had back then).


I think in all the years IBM MVS/370 was around NOBODY apart from possibly some insider "System Programmers" ever managed to Hack the OS. Of course Hacking has got a lot more sophisticated these days but IBM MVS/370 will go down in history as one of the greatest OS'es ever in computer design.

You can run this also on a PC these days via the Hercules emulator if you want to try running a mainframe OS on your PC. !!! Nostalgia days . Screenshots shown running MVS/370 on a PC with Hercules emulator !!.

The MVS Turkey New User's Cookbook

Cheers
jimbo

 

[Cr00zng]

The S/370, 390, and now z/OS are pretty much the same from the memory management's perspective. In another word, it is still kernel controlled that includes enforcing the memory boundaries. The assembler programing language in itself is the same as C/C++ from the memory management perspective, there are no built-in routines for buffer boundaries enforcement. The mainframe app programmers must write their own memory control and failure to do so could result in app crash, since MVS will not allow out of bound writing to the memory.

While others, such as *NIX, FreeBSD/OSX, NT kernels don't have MVS level of memory management; however, additional modules try to address buffer overflow vulnerabilities in application and to a certain extent within the OS via Pax, OpenWall, StackDefender, etc. And yes, EMET is one of the add on...

But I have to agree with you and MVS, memory management should strictly be controlled by the kernel and not by the applications...

 

[Britton30]

Thanks Jimbo, that's what I wanted to know. It seems you and Cr00zng use the same "native language."