Is Microsoft withholding Windows 7 security patches? Probably not


A pair of researchers studying and comparing the code in Windows 7 and Windows 8 are claiming that Microsoft is giving security patches to Windows 8 that are not being rolled into Windows 7, but Microsoft is denying that it is playing favorites.

Researcher Moti Joseph, formerly of Websense, and malware analyst Marion Marschalek developed a diffing (comparison) tool they called DiffRay to compare Windows 8 with Windows 7 and log any safe functions absent in the older OS.

I'm not a programmer, but right away I can see a problem and so should you. Windows 8 is a significantly changed operating system. It has a whole new interface, a large chunk of code is gone (the Start menu), it uses HTML 5, and thus a different rendering engine, a different Internet Explorer, etc. This isn't even remotely an apples-to-apples comparison, or even apples to oranges. It's apples to cheeseburgers.

But hey, I'm just a writer.

The two made their presentation at the Troopers14 IT security conference in Germany. The Register ran with the story, including Joseph's claim that Microsoft was doing it to be cheap. "Why is it that Microsoft inserted a safe function into Windows 8 [but not] Windows 7? The answer is money - Microsoft does not want to waste development time on older operating systems ... and they want people to move to higher operating systems," Joseph said in a presentation at the Troopers14 conference.

The two scanned 900 Windows libraries and found a variety of security functions that were updated in Windows 8 but not 7. They said this could leave vulnerabilities unfixed and eventually lead to zero-day attacks.

A Microsoft spokesperson did not give me a definitive yes or no answer to the accusation, but did say this:

"We follow an extensive process to develop security updates for all supported devices and services, involving a thorough investigation, update development, and testing for compatibility among other operating systems and applications. We are continually working to improve our products and we encourage researchers to coordinate vulnerability disclosure with Microsoft in order to help protect customers."

What they are referring to is the Security Development Lifecycle (SDL) process Microsoft implemented more than a decade ago. Over time and the course of three operating systems (Vista, 7 and 8), new rules have been added and some have become more strongly enforced.

As part of its SDL requirements, Microsoft has its own set of header files that are not part of the C/C++ standard library for security issues. Microsoft has likely changed those requirements and headers in the five years from when Windows 7 came out to Windows 8.1 now. In which case, Windows 8.1 will have more fixes than Windows 7 by default.

Also, these are not patches, per se. Patches fix a problem. Header calls are built-in security to prevent problems. It's a proactive feature.

It's a complicated issue, and I got lost more than once trying to figure this all out on short notice. But the bottom line is it's not fair to say Windows 7 is not being updated because Microsoft is being cheap or is trying to force people to Windows 8, when Windows 7 has less to fix in the first place.


Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022