Redmond is patching Windows 8 but NOT Windows 7, say security bods Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day …
Interesting. They announced the end of security patches for Windows XP with years of advance warning and fanfare, so they obviously thought it extremely important to warn users about it.
Which gives them a lot to explain if they've ended Windows 7 security support on the quiet a few days later.
Or potentially they just decided not to add extra functions to Windows 7, that they did add to Win8:
quote from the article: "Why is it that Microsoft inserted a safe function into Windows 8 [but not] Windows 7? The answer is money - Microsoft does not want to waste development time on older operating systems ... and they want people to move to higher operating systems," Joseph said in a presentation at the Troopers14 conference.
The fact that these extra functions are aimed at developers, and as far as I can tell are intended to provide bounds checked variables (e.g. protected against buffer overflow shenanigans) could be cause for some concern. It does not count as a fix of existing broken functionality though, so I don't see how it would qualify as MS "ending support" for Win7 if they chose not to add these extras to all existing OSs of theirs.
You did know that Window 7 introduced a lot of new safety features that were never back ported to Windows XP, don't you?
Google do the same with Android and ChromeOS, Apple the same with iOS and OS X, the Linux community as well.
The world moves on and each new iteration of a platform introduces new safety features that the old one do not have. They don't get them because they are no longer current and the architecture in the newer versions include extra hooks which are missing in the older versions, so the new safety features can't simply be backported.
I think it is disgusting, Toyota improved the safety features in the new Verso and they won't build them into my 2010 model for free!
It's pretty easy to replace the old version of Linux with a new version. Since Microsoft charges quite a bit for operating system upgrades, and, furthermore, newer versions of their operating systems do not have the same hardware requirements as older versions (I ran Windows 3.1 under DOS without problems on a 386 with 2 Megabytes of RAM; can I upgrade to Windows 8?) failure to correct mistakes they made in the software when they released it which allow unauthorized misuse of people's computers is a problem.
Windows XP shouldn't have had any mistakes in it, any possible exploits, and since it did, that was Microsoft's fault, therefore Microsoft should have to fix them. Until Microsoft finally gets it right.
Unlike putting safety features in cars, after all, no physical parts that are made of metal that costs money are involved. They can just write the patches once, although I have to admit there's no easy way for Microsoft to let someone else bear the expense of hosting them, given the Windows Update mechanism.
@John Savard
Easy to replace the old version of Linux? Not so easy. We still have customers running SUSE 6.0, because the software they rely on was written for that Kernel and they are unwilling to pay the supplier for an upgrade to a newer version.
Likewise, Linux used to run on a 386 with a couple of MB RAM as well. Good luck getting Ubuntu on anything that small or with a processor with that architecture.
The core of Windows XP was developed before the Internet. And due to poorly written 9x software, they couldn't turn on the security it did support without breaking everything. Because people carried on using Administrator accounts, the situation didn't improve for a long time. Plus you are talking about millions of lines of code written by humans! Even a short story published to Amazon is going to have lots of spelling mistakes, heck living in Germany I look at some of the translations that are done to classic novels and I can only shake my head at the mistakes and inconsistencies in translation that some publishers make. Computer code is a lot more complex. You will never get it 100% bug free and 100% safe, not in our lifetimes - unless you manage to find an infinite number of monkeys and can convince them to work on XP instead of Shakespeare...
And if it were the case, that the OS had to be 100% bug free before it could be released, we would probably still be using MS-DOS or we might have made it to Windows 3.1. Linux would also still probably be awaiting its first "stable" release. Code is made to the best standards we can and at some point somebody has to take a decision, "is it stable enough, good enough to be released?" The same goes for most industries, just look at the number of car safety recalls, cars are death traps and should never be let on the road!
Unlike putting safety features in cars, after all, no physical parts that are made of metal that costs money are involved.
So all those thousands of programmers working at Microsoft to fix the bugs and come up with new methods are working for free?
"The development of NT was begun before Windows 95 and before PCs were generally put on the Internet."
Not quite.
It was begun before Microsoft acknowledged they'd lost this battle.
Before then Microsoft was trying to get people cloistered in Microsoft proprietary protocols (NetBIOS, SMB,...).
The development of NT was begun before Windows 95
While hyper-technically correct, your shifting grounds shows the faultiness of your original statement.
Generally when one speaks of the "core of XP" that means Windows 2000, which yes, was built on the NT kernel begun way way back with Windows NT 3.5. But the shifts from 3.5 to 4, to 2000 are so significant that when you speak of the kernel you actually call it out. By NT4.0 MS had already realized the internet was not going to be the fading fad Bill Gates confidently predicted it would be. That's pretty much what the whole IE monopoly case was all about, and that centers around Windows 95B-D/98. Gates shit a brick when he realized what a colossal mistake he'd made and reached for his monopoly power to fix it. With the help of a daft judged and an incompetent prosecution he managed to slip through.
@Tom
Correct, I was simplifying the whole thing for brevity. You are correct, but the development of NT started at a time when the Internet was reserved for a few mainframes and the odd PC connecting via modem. How many PCs back then were internet connected? A couple of percent?
They weren't designed with that level of security in mind. The systems were designed to be secure on a closed network, where the biggest risk was a rogue employee, so buffer overruns etc. were the least of the worries, as were firewalls etc.
Security has been slapped on in layers as each new layer has shown its cracks.
Mix that in with purposely weakening the default security on XP so that poorly written 9x code would run on it - such as making the standard user also an administrator, something which every best practice book says you should never do - and you have a system that was never designed to be let loose on the Internet.
Each newer version has tightened up the security at the expense of the ability to run unsecured or poorly written legacy code.
Actually, the Linux guys usually do backport security fixes. Possibly more importantly, they also don't charge for the next version.
Hey look at that! You got a free Toyota 2010 model, a free Verso upgrade but are left with a rather broken car analogy.
Not that is has anything to do with what MS are doing.
"I think it is disgusting, Toyota improved the safety features in the new Verso and they won't build them into my 2010 model for free!"
Right, because backporting lines of code in an IDE and recompiling is really on the same level of difficulty as designing and then physically adding new hardware to millions of vehicles isn't it.
Idiot.
>>"Right, because backporting lines of code in an IDE and recompiling is really on the same level of difficulty as designing and then physically adding new hardware to millions of vehicles isn't it. Idiot."
You're either not a programmer, have never worked at Systems level programming or you have management that never do regression testing or impose timescales.
>You're either not a programmer, have never worked at Systems level programming or you have
>management that never do regression testing or impose timescales.
LOL! My friend - I've done unix systems programming for over 20 years - I probably read Stevens when you were still in short trousers. I've also done mechanics. Believe me - designing a fix for a vehicle when there are structural , safety, efficiency and space considerations to take into account, not to mention the warranty to consider if you feck it up and the owners want a replacement - is a lot harder than updating and testing some software which has to worry about none of the above.
>>"LOL! My friend - I've done unix systems programming for over 20 years - I probably read Stevens when you were still in short trousers"
If you really want to go with the "I'm right because I'm an expert" argument with a side of sneering dismissal of the other person as inexperienced, then I'm actually about the same career-wise. UNIX programmer about fifteen years ago, still do some programming today though I've dipped in and out of management for the last ten years in between programming contracts. And what I said was absolutely right. What you wrote was rubbish - to dismiss backporting code to earlier OS versions. You ignore finite resource, regression testing.
And your response is essentially to try and claim superior experience over someone you don't even know and to build up your car metaphor even further - as if by showing difficulties with cars you can argue that deep-level OS changes are trivial.
I'm honestly inclined to call bullshit on your whole bigging yourself up.
"I'm honestly inclined to call bullshit on your whole bigging yourself up."
If you actually had a clue about designing mechanical systems I might take some notice of your sad little hurt pride rant. However clearly you don't and obviously don't know anything outside of software (and as for implying working project management gives you more of a heads up - oh please) so don't even pretend to be able to make a valid statement on the difference.
Testing and releasing system software is a walk in the park compared to releasing safety critical new hardware. This is a fact and it is NOT up for debate. Now go back to your gant charts and powerpoint presentations where clearly you belong.
It's my understanding that Windows 8.1 could not be upgraded to directly from Windows 7. My last upgrade was from 7 to 8 to 8.1 ! How can Microsoft just a abandon Windows 7 users ? Oh yeah, their answer to everything, wipe the drive (data, applications & configurations) and DO A "CLEAN INSTALL" .. YOU KNOW WE'RE THE CUSTOMER; WE ALL HAVE PLENTY OF FREE TIME TO KILL !
ummm. But this has nothing to do with security patches. Or patches.
And the word "Safe" is used only as a convention for this class of C library functions: it's a bit of a misnomer really: unlike other languages, the "safety" still depends on.programmer programming checks on the length of strings, it just provides a structured way of doing so.
Are these really security holes? It looks to me like Microsoft is simply not including some quality-of-life functions into their Windows 7 libraries. Not having these functions means a programmer has to be more careful but it shouldn't make the library any less secure if said programmer is following best practices.
Or it could simply be that Windows 7 doesn't need these patches, or need to call these functions in as many places. It's not impossible that Windows 8 had a security hole that needed fixed that Windows 7 didn't.
There are dozens of perfectly rational explanations more likely than this simplistic "count then speculate" song and dance.
I spy publicity stunt.
@Gav, more likely that Windows 8 has new safety features that weren't even conceived when Windows 7 was built.
Windows 7 includes a lot more safety features than Vista did, Vista has more safety features than XP, XP has more safety features than Window 9x...
The same is true for OS X, iOS, Android etc. the older versions don't get the new and improved security features. If you want them, you need to upgrade.
The truth is, if Security is Job 1 this comparison software is an obvious hacking tool. Therefore you have a protocol in place to make sure that exactly that sort of thing can't happen. Because everybody knows all those mundane things will torpedo anything less than that protocol being in place and backed by the CEO.
Exactly the same way Windows 2000, XP and 2003 are all version "5". Microsoft changes the major version number of an OS only when it makes deep, major changes to the kernel. Otherwise only the minor release number is changed: 2000 = 5.0, XP = 5.1, 2003 = 5.2, Vista/2008 = 6.0, 7/2008R2 = 6.1 and 8/2012 = 6.2,
The next step is then finding who calls that specific function in win8 and you have candidates galore.
Maybe they are late with the fix for w7, however, they should have delivered the patches the same day ... now they are helping crackers find the holes in the sieve.
Paris coz she knows: the more the merrier !
My old Escort didn't have airbags, when the newer version was introduced with airbags, Ford didn't retrofit them in my Escort either.
The world moves on, new security measures are built into newer products, it is a fact of life.
Apple did the same with OS X, with Lion they brought out a lot of new safety features that earlier versions didn't enjoy, such as the App sandboxing and restricting downloads from unknown sources etc. Mountain Lion improved upon that and so on.
Android is the same, every OS is the same, heck most industries are the same. With each new version the people making the product realise where they can improve on security and safety over the previous version and they implement that. It is usually not practicable to retrofit it.
I'm sure that people would be screaming blue murder as well, if MS had retrofitted the security improvements in Windows 8 in Windows 7 and legacy software suddenly stopped working.
The same with XP, if MS had retrofitted the UAC and other advanced security features from Vista and 7 into XP, corporates would have thrown their hands up and cried foul, because their old, badly coded software no longer worked.
My old Escort didn't have airbags, when the newer version was introduced with airbags, Ford didn't retrofit them in my Escort either.
Your car analogy is flawed. Ford do carry out recalls to fix issues, rather than telling their customers to just buy the latest model.
http://spectrum.ieee.org/cars-that-think/transportation/safety/ford-recalls-695-000-vehicles-for-airbag-transmission-software-updates
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
