If you are a regular reader of Komando.com, you should know by now that the second Tuesday of each month is unofficially called Patch or Update Tuesday by tech fans and IT pros alike.
This is when Microsoft releases updates and fixes for their line of software products. These updates usually contain bug fixes, security patches, and malware database refreshes for supported Windows operating systems like Windows 10, Windows 8, Windows 7 and a slew of Adobe and Microsoft software products.
We recently told you about Microsoft’s September software updates that apparently introduced a number of other bugs that needed unscheduled, emergency patches (known as “out-of-band” fixes) to resolve. Some bugs, especially for older Windows systems, don’t even have fixes to this day.
Who’s at risk?
And this is where the problem with Microsoft’s security updates lies – system priority. According to Google Project Zero researchers, while security flaws and holes are being quietly patched and fixed in major Windows 10 updates, the same bugs in older systems like Windows 7 and Windows 8 often get the fixes at a much later date.
This means hackers can check the vulnerabilities fixed in a new Windows 10 update and will realize that the same holes are still present in older versions of Windows. This is obviously a big security risk for Windows 7 and Windows 8 systems which are still widely used by homes and businesses worldwide.
“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform,” said Google Project Zero researcher Mateusz Jurczyk.
“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows,” he continued.
For example, a major information disclosure bug was fixed in Windows 10 but remained in Windows 7 and 8.1 for months until it was finally patched in September.
This months-long gap in security patch deployment to older Windows versions is making them highly vulnerable to attacks that specifically target the weak spots that, ironically, Windows 10 security updates reveal.
Aside from the large Windows 7 and Windows 10 user base, these systems are still fully supported by Microsoft. Windows 7 should receive security updates until January 14, 2020, while Windows 8.1 will get them until January 10, 2023.
Although patches are still regularly rolled out on a monthly basis for all supported Windows versions, this apparent lag in deployment puts millions of users of older Windows systems at risk each time a major Windows 10 update is rolled out.
In response, Microsoft’s canned statement is this: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Hmm, now we have to wonder if these lags are by design just to push people into upgrading to “Windows 10 and the Microsoft Edge browser for the best protection.”
Now with the Google Zero team’s findings, the public is left with these scenarios: Either Microsoft starts deploying security fixes at the same time across the board or people should just stop using Windows 7 and 8.1 altogether. Which one do you think is the pro-consumer choice?