Windows 10 more vulnerable?

Topic

New Reply

ISSUE 18.27 • 2021-07-19 PATCH WATCH By Susan Bradley Every month brings the usual suspects — zero-day vulnerabilities, remote code execution, denial
[See the full post at: Windows 10 more vulnerable?]

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

abbodi86

Reply | Quote

Replies

the bugs in each version, Windows 10 has more bugs this month than Windows 7

Windows 10 has more bug than Windows 7, Windows 8/8.1 EVERY month since day 1.
Every month Windows 10 has Windows 7 bugs + Windows 8 bugs and adds bugs of its own, which shows that some of Windows 10 bugs are decade old.

Reply | Quote

Windows 10 bugs are decade old

Not only bugs. Its basis is over decade old. Who remembers XP will know, that rounded corners were already there in the 2000s. In 2021 prepare to be amazed by the brand new context menu well.. not so new.. just transparent.

More added functionality every build means, that there are more and more weak spots. Its not in the power of human to make 100% secured system. Im not surprised.

The fact is, that the newer system has more discovered vulnerabilities, because the system “is alive” and lot of developpers is digging into it.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Playing “devil’s advocate”, taking a contrary viewpoint, is it possible that the number of bug fixes for each version of Windows is not a good metric of the real relative quality of each version of Windows, but just a natural consequence of Microsoft’s bug fixing process?

I have no specific knowledge of Microsoft, but I have worked in software development for other companies and “management” want their staff to concentrate on the money making areas, which usually means the latest versions of things.

If this is also true for Microsoft (which is likely), their bug fixing will concentrate on Windows 10 (and probably the latest version of W10). They may not have staff explicitly looking for and fixing bugs in W8.1 and W7 (or earlier versions of W10). However different versions of Windows are not completely new, but inherit much from earlier versions, so it makes sense to copy (or “port” in the software development jargon) bug fixes found in W10 to the corresponding source files in W8.1 and W7.

However W10 includes extra “features” (in the general sense of the word), so not all W10 bugs will have corresponding bugs in W8.1 and W7 (without these extra W10 “features”).

Thus, each month there will be more W10 bugs, than W8.1. and W7 bugs, and similar numbers of both W8.1 and W7 bugs (and occasionally slightly more W8.1 than W7 bugs, because W8.1 has more “features” in common with W10, but not in W7).

I haven’t kept a detailed record, but from memory having both W8.1 and W7 PCs, this is what we see.

I’m not making any claims about the real relative quality or security of the different Windows versions, just making the point that the number of bug fixes each month for each version might not be a good indication of relative quality.

Just a thought!

 

Reply | Quote

From the article:

But as Microsoft layers on more protections in Windows 10, it opens up more vulnerabilities. A case in point is Windows Hello (facial recognition instead of passwords), which can be tricked into allowing an attacker to bypass the authentication (see Bleeping Computer).

It is considered a bad practice to use biometrics instead of a password. Biometrics can increase security if they are used in conjunction with a password, but to use them alone is not a good idea. Yes, it’s more convenient, but security isn’t.

A Twitter user put it best: “Telling Windows Home users that they should actually want to use new PCs with Windows 11 so they can take advantage of VBS defenses that “stop 60% of malware” when Home edition doesn’t even get most of those defenses, really is pretty crappy.”

Indeed, but that’s been the norm for the “new” Microsoft under Nadella. They’ve been lying to users for years, like when they said that older versions of Windows would not run properly on newer architectures (Kaby and newer on the Intel side), which was blatantly false. If it had been true, they would not have had to put a Trojan horse in an update to break future updates (deliberately leaving the PC vulnerable to third party malware) to get people to stop putting Windows 7 (or even 8.1) on newer PCs. If it didn’t run properly, that would be a big enough disincentive.

It’s not much different than how they just told us that we have to have 8th gen or later (again, on the Intel side; I haven’t used an AMD CPU in a while, so I have not kept up with the requirements for AMD) to have the features that support the Windows Driver Model. That wasn’t true either. At best, the newer generations have the virtualization features MS wants all Windows 11 users to have even though only a subset of those can apparently benefit from them.

All of that fits right in with the deception and dark patterns MS has been using to promote Windows 10 from the start, not to mention the “oops” moments when “bugs” conveniently reset people’s Windows 10 PCs to the settings MS wanted rather than those the owners of those PCs had selected.

Don’t get me wrong. I’m looking forward to the advances that the Trusted Platform Module can bring to the table.

You don’t need Windows 11 for that. Windows has had the capability of using those for years, and all PCs certified for Windows were supposed to have one since 2015. It’s another little bit of deception to suggest that you need Windows 11 to get the benefits of that feature.

A TPM is not a magic little thing that increases security just by being there. It’s a tiny bit of protected memory that is meant to store secrets like encryption keys, and to be able to detect if any potentially malicious change has occurred in the environment in “lives” in before releasing the information.

It’s a niche thing that benefits some people in some circumstances, but it’s far from universally useful (the kind of thing that it would make some kind of sense to make mandatory). The laptop I am using now to write this (my Dell XPS 13) has TPM 2.0 functionality, but it’s idle at the moment. I don’t have any need for it, even though I do have security features enabled, like an encrypted volume on the PC. I don’t keep the encryption key stored in the “secure” TPM when it is not in use; it isn’t stored on the PC at all. When the PC is off, the key is not on it, and no matter how relatively secure the TPM may be, it’s not as secure as the secret not being there in the first place.

 

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

5 users thanked author for this post.

David F, Moonbear, lanceboil, johnf, AlexEiffel

Reply | Quote

Ascaris wrote:

It’s another little bit of deception to suggest that you need Windows 11 to get the benefits of that feature.

Where did Microsoft suggest that?

Reply | Quote

b wrote:

Where did Microsoft suggest that?

Here, for one:

“Security. Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI) and Secure Boot. ”

The hardware they require that “can enable protections like Windows Hello, Device Encryption” is the TPS, and it was already required for 10, and 8.1, and 8. But they didn’t mention that bit! It’s like how one of the beer companies started advertising some bit of beermaking that all of the beer companies do, with the obvious implication being that no one else does it, and that you should buy their product because it’s better that it does this one thing. They wouldn’t be pushing the point for any other reason… there’s no need to advertise something that everyone does, and people tend to think that no one would.

Susan is something of an authority on many security-related things with Windows, but even she had said that she was looking forward to the things TPM would bring to the table, even though those benefits have been at the table for more than five years. I don’t think that was by any means an “oops” on Microsoft’s part.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Ascaris wrote:

The hardware they require that “can enable protections like Windows Hello, Device Encryption” is the TPS, and it was already required for 10, and 8.1, and 8. But they didn’t mention that bit!

Depends what your definition of “required” is!

For 8/10, TPM was required of OEMs; but not to install/run Windows:

Hardware-assisted security, which has been an optional part of Windows 10, is now mandatory, which means Secure Boot and device encryption are available by default to protect against increasingly sophisticated online attacks.

Windows 11 FAQ: Everything you need to know

No tips or tricks were ever needed to do anything on Windows 8/10 without a TPM.

Reply | Quote

That is certainly the result of throwing in all sorts of “stuff,”  (i.e. features) without serious testing.  What ever happened to the concept so successful in normal business–you want extra, you pay extra?  How many home users or even small business need or want all the stuff that comes embedded with Windows-10?  There was a solid reason behind the different SKUs of Windows-7 and before.  The critical problem facing MS, if they choose to recognize it, is that Windows-11 gives them the opportunity to atone and publicly admit their past mistakes and return to when Windows was a solid and reliable OS.

1 user thanked author for this post.

doriel

Reply | Quote

I run 0patch (zero patch) software on both Win7 and Win10. On Win10, it issues zero day patches for new threats, days or even weeks before msoft. On Win7 it does zero day plus patches to cover what msoft stopped when they stopped supporting Win7 security. I am just an end-user, not linked in any to 0patch.com.

2 users thanked author for this post.

Alex5723, Cybertooth

Reply | Quote

Yeah, Microsoft sure loves their features and gimmicks.

Meanwhile in the real world, a Microsoft screw-up just exposed NTLM password hashes to ordinary users and even sandboxed apps in Windows 11 and the latest versions of Windows 10. This means escalation of privilege for any attacker with the computing power to crack some (notoriously easy) NTLM hashes.

https://twitter.com/jonasLyk/status/1417205166172950531

Reply | Quote

Yea just saw that on twitter as well.  Good times (not).

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

https://twitter.com/jeffmcjunkin/status/1417281315016122372

Can we not reinforce that newer = more vulnerable?

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

doriel, Cybertooth, Moonbear

Reply | Quote

https://www.askwoody.com/forums/topic/windows-10-security-broken-after-upgrade-sam-accessible-by-users/

Reply | Quote

Most secuuuuure OS ever, remember?

2 users thanked author for this post.

doriel, Cybertooth

Reply | Quote

Just PR and marketing. Maybe most secure, but it should be last OS ever too
I totally lost any beliefs in such statement what so ever. Its like trying to make driving safe 100%. You just cant reach that goal. You can make driving easier (steering and breaking assist and other assits). But adding those assists to the car does not guarantee you cant crash. Also, such functions creates another tens or hundreds risks, that were not present in the mechanical car in the first place! Old Buick from 1990 its harder to drive it, but you cannot crash, because you are playing with the touch panel and trying to watch Fast and Furious on the TV while driving.

You are as safe as you behave. You cannot blame others for empting your account if you wrote your banking password on your monitor! Not you, @BobT36, just people in general

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

Cybertooth

Reply | Quote

Elephant in the room: Microsoft is getting 50%ish of the $10 billion US DoD cloud-computing contract. Either DoD will have 70 hacks per month or MS has totally bulletproof code for them and can’t or won’t fix Windows 7 and/or 10. Think about it. Perhaps Win 11 will come with a EULA that does not relieve MS from liability for hacks due to not testing code, removing ALL buffer overflows, etc. Sigh …

Reply | Quote

w7pe wrote:

$10 billion US DoD cloud-computing contract.

The contract has been canceled.

1 user thanked author for this post.

doriel

Reply | Quote