Researchers studying and comparing Microsoft code in Windows 7 and Windows 8 have found that there is security code in Windows 8 that is not present in Windows 7. Fundamentally, this is a dog-bites-man story; new versions of software come with new features, sometimes even security features. Is it unreasonable for Microsoft to leave these changes out of Windows 7?
Then last week The Register ran a story entitled "Redmond is patching Windows 8 but NOT Windows 7, say security bods." This is not a fair way to describe the findings, although the researchers themselves are very happy to snipe at Microsoft. But the research is interesting and raises some useful questions that users and buyers might find informative.
We have asked Microsoft for comment and will update the story when we get it.
Microsoft began instituting rules to ensure secure programming practices over ten years ago. These practices became the SDL (Security Development Lifecycle), and are documented for everyone to use. It's not a static document; over time, new rules have been added and some have become more strict.
The calls which the researchers, Moti Joseph and Marion Marschalek, focused on were related to these practices. Many of the "standard" C language runtime libraries are poorly-implemented, and SDL requires programmers to use "safe" alternatives, such as the Strsafe functions for strings. These versions do security checks, such as ensuring that no buffers are overrun.
These are the calls that Joseph's and Marschalek's research looked for. They are not "patches," and the distinction is a significant one. Patches address a known problem. These calls protect against potential problems. They are proactive measures added to make the product more resistant to attack. It's likely that many of them are unnecessary, that the code being protected is not, as a practical matter, exploitable, assuming that there are even problems in the code being protected with the safe functions. But over time, the standards for these things become stricter, and it's not surprising to find more used in Windows 8 than Windows 7.
So it's the way of the world that newer versions get new security features, as when Microsoft added ASLR (Address Space Layout Randomization) to Windows Vista and did not back-port it to Windows XP. But is it fair for Microsoft always to withhold new security features from shipping version X and save them for the upcoming version X+1?
In fact, this isn't a hard-and-fast rule at Microsoft. Just last month Microsoft released KB2871997: Update to improve credentials protection and management. In a blog last week, Joe Bialek, an engineer with the Microsoft Security Response Center, explained the update and how it also applies to Windows 7. The updates remove some use of plain-text passwords and adds support for some newer security features.
But this sort of change is a far cry from adding to Windows 7 all the safe function usage of Windows 8. Doing that would have the potential to change a large percentage of the program files in Windows, leading to hundreds of MB of updates.
It's also interesting that Microsoft's Support Lifecycle documents don't obligate them to provide new features to shipping products, even those, such as Windows 7, that are still in the Mainstream Support period. Customers can request new features.
There's a line in there somewhere between reasonable and unreasonable. Microsoft has chosen not to give it a hard definition, and perhaps that's for the best. I certainly don't know how to define it.