As far as we can tell, enormous 2874 items On Microsoft’s list of updates for this month’s Patch Tuesday, just Redmond’s Security Update Guide web page.
(The website itself says 2283, but the CSV export contains 2875 lines, where the first line isn’t actually a data record, but rather a list of various field names for the rest of the lines in the file.)
At the top of the list is a prominently obvious name. product Columns in the first 9 entries covering elevation of privilege (EoP) patches marked as CVE-2013-21773 windows 7, Windows 8.1And Windows RT 8.1.
As many will remember, Windows 7 was very popular at the time (indeed, some still consider it to be the best Windows ever), and when XP support ended, Windows XP finally garnered even die-hard fans.
Windows 8.1 is remembered more as a kind of “bug fix” release to the lamentably long-discontinued Windows 8 than as an actual Windows version per se, but it never really caught on.
And while Windows RT 8.1 was everything people didn’t like about the regular version of Windows 8.1, it ran on strictly locked-down, proprietary ARM-based hardware like your iPhone or iPad. , judging by the market reaction, is something that many people are willing to accept.
In fact, sometimes you To read Windows 8’s relative unpopularity is why the next major release after 8.1 was numbered Windows 10, thus deliberately creating a sense of separation between the old and the new.
Another explanation is: windows 10 Because it had to be the full name of the product 10 It formed part of the new product name rather than a number appended to the name to indicate the version. Windows 11 later put some dents in that theory, but there was no Windows 9.
end of two ages
Shed a tear now, as this month we have the latest security updates for outdated Windows 7 and Windows 8.1 versions.
Windows 7 is now at the end of the 3-year ESU extra payment period (ESU abbreviation Extended security updates), Windows 8.1 simply I do not receive extended updatesObviously no matter how much you are willing to pay:
FYI, Windows 8.1 will end support on January 10, 2023. [2023-01-10]Technical support and software updates are no longer available. […]
Microsoft does not provide an Extended Security Update (ESU) program for Windows 8.1. Continued use of Windows 8.1 after January 10, 2023 may increase your organization’s exposure to security risks or affect your ability to meet your compliance obligations.
So, now that the days of Windows 7 and Windows 8.1 are over, any operating system bugs left on computers running those versions will be around forever.
Of course, despite their age, both platforms received patches this month for dozens of different CVE-numbered vulnerabilities, including 42 CVEs for Windows 7 and 48 CVEs for Windows 8.1.
Even if modern threat researchers and cybercriminals don’t explicitly look for bugs in older Windows builds, when attackers dig into newer builds of Windows 11, the first flaws they find may turn out to be inherited from legacy code.
In fact, the above counts of 42 and 48 CVEs compare to a total of 90 different CVEs listed on Microsoft’s official site. January 2023 release notes About half of today’s bugs (all 90 on this month’s list have the date designator CVE-2023-XXXX) have been waiting to be discovered in Windows for at least 10 years.
That said, you’ll often find that “new” bugs can be retrofitted into exploits that work in older versions, in the same way that bugs found in older versions can still affect the latest and greatest release. Same goes for the Windows version.
Ironically, “new” bugs may be easier to exploit in older versions. This is because of the less restrictive software build settings and more liberal runtime configurations, which were considered acceptable at the time.
Older laptops with less memory than today were usually set up with a 32-bit version of Windows, even if they had 64-bit processors. Some threat mitigation techniques, particularly those involving randomizing where programs exit in memory to reduce predictability and make exploits more difficult to perform reliably, are generally less effective on 32-bit Windows simply because they have fewer memory addresses. . choose from Like hide and seek, the more places you can hide, the longer it will usually take them to find you.
“Abuse detected”
According to Bleeping Computer, only two of the vulnerabilities disclosed this month are listed as being in the wild. known from outside Microsoft and the immediate research community:
- CVE-2023-21674: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Confusingly, this is listed as: Disclosure: NoBut Abuse detected. With this, we assume that cybercriminals already know how to exploit this bug, but they are carefully keeping the details of their exploitation. patched yet.
- CVE-2023-21549: Windows SMB Witness Service Elevation of Privilege Vulnerability. will display openlyBut, nevertheless, it is written as follows. reduced potential for exploitation. From this I infer that even if someone told me where the bug is and how to trigger it, it would be difficult to figure out how to successfully exploit the bug and actually achieve elevation.
Interestingly, the bug CVE-2023-21674, which attackers are actively using, is not on the Windows 7 patch list, but it does apply to Windows 8.1.
The second publicly known bug, CVE-2023-21549, applies to both Windows 7 and Windows 8.1.
As mentioned above, newly discovered defects often have a major impact.
CVE-2023-21674 affects all Windows 8.1 through the latest builds of Windows 11 2022H2 (H2 stands for “release released in the second half of the year”).
More dramatically, CVE-2023-21549 applies directly from Windows 7 to Windows 11 2022H2.
What to do with that old computer?
If you have a Windows 7 or Windows 8.1 computer that you still find usable and useful in, consider switching to an open source operating system such as a Linux distribution that provides both support and updates.
Some community Linux builds specialize in keeping distros small and simple.
It may not have photo filters, video editing tools, a chess engine, and the latest and greatest collection of high-resolution wallpapers, but the minimalist distro is still great for browsing and emailing, even on older 32-bit hardware with tiny hard disks. out of memory.
Read the SOPHOSLABS report on this month’s patch
.