February 23, 2024

So far as we will inform, there are a whopping 2874 items on this month’s Patch Tuesday replace listing from Microsoft, based mostly on the CSV obtain we simply grabbed from Redmond’s Security Update Guide net web page.

(The web site itself says 2283, however the CSV export contained 2875 traces, the place the primary line isn’t truly an information document however an inventory of the varied subject names for the remainder of the traces within the file.)

Obviously apparent on the very prime of the listing are the names within the Product column of the primary 9 entries, coping with an elevation-of-privilege (EoP) patch denoted CVE-2013-21773 for Home windows 7, Home windows 8.1, and Home windows RT 8.1.

Home windows 7, as many individuals will keep in mind, was extraordinarily common in its day (certainly, some nonetheless take into account it the most effective Home windows ever), lastly luring even die-hard followers throughout from Home windows XP when XP assist ended.

Home windows 8.1, which is remembered extra as a sort-of “bug-fix” launch for the unlamented and long-dropped Home windows 8 than as an actual Home windows model in its personal proper, by no means actually caught on.

And Home windows RT 8.1 was all the pieces individuals didn’t like within the common model of Home windows 8.1, however operating on proprietary ARM-based {hardware} that was locked down strictly, like an iPhone or an iPad – not one thing that Home windows customers had been used to, nor, to evaluate by the market response, one thing that many individuals had been prepared to simply accept.

Certainly, you’ll generally read that the comparative unpopularity of Home windows 8 is why the subsequent main launch after 8.1 was numbered Home windows 10, thus intentionally creating a way of separation between the previous model and the brand new one.

Different explanations embody that Home windows 10 was presupposed to be the complete identify of the product, in order that the 10 shaped a part of the model new product identify, slightly than being only a quantity added to the identify to indicate a model. The following look of Home windows 11 put one thing of a dent in that idea – however there by no means was a Home windows 9.

The tip of two eras

Shed your tears now, as a result of this month sees the final safety updates for the old-school Home windows 7 and Home windows 8.1 variations.

Home windows 7 has now reached the tip of its three-year pay-extra-to-get-ESU interval (ESU is brief for prolonged safety updates), and Home windows 8.1 merely isn’t getting extended updates, apparently irrespective of how a lot you’re prepared to pay:

As a reminder, Home windows 8.1 will attain finish of assist on January 10, 2023 [2023-01-10], at which level technical help and software program updates will now not be offered. […]

Microsoft is not going to offer an Prolonged Safety Replace (ESU) program for Home windows 8.1. Persevering with to make use of Home windows 8.1 after January 10, 2023 could enhance a corporation’s publicity to safety dangers or impression its skill to satisfy compliance obligations.

So, it truly is the tip of the Home windows 7 and Home windows 8.1 eras, and any working system bugs left on any computer systems nonetheless operating these variations will likely be there without end.

Keep in mind, in fact, that regardless of their ages, each these platforms have this very month obtained patches for dozens of various CVE-numbered vulnerabilities: 42 CVEs within the case of Home windows 7, and 48 CVEs within the case of Home windows 8.1.

Even when modern risk researchers and cybercriminals aren’t explicitly in search of bugs in previous Home windows builds, flaws which might be first discovered by attackers digging into the very newest construct of Home windows 11 would possibly end up to have been inherited from legacy code.

In reality, the CVE counts of 42 and 48 above examine with a complete of 90 totally different CVEs listed on Microsoft’s official January 2023 Release Notes web page, loosely suggesting that about half of right now’s bugs (on this month’s listing, all 90 have CVE-2023-XXXX date designators) have been ready round to be present in Home windows for not less than a decade.

In different phrases, in the identical method that bugs uncovered in previous variations could end up nonetheless to have an effect on the most recent and best releases, additionally, you will typically discover that “new” bugs go method again, and will be retrofitted into exploits that work on previous Home windows variations, too.

Sarcastically, “new” bugs could finally be simpler to take advantage of on older variations, as a result of much less restrictive software program construct settings and extra liberal run-time configurations that had been thought of acceptable again then.

Older laptops with much less reminiscence than right now had been usually arrange with 32-bit variations of Home windows, even when they’d 64-bit processors. Some risk mitigation methods, notably people who contain randomising the places the place packages find yourself in reminiscence to be able to to cut back predictability and make exploits tougher to tug off reliably, are usually much less efficient on 32-bit Home windows, just because there are fewer reminiscence addresses to select from. Like hide-and-seek, the extra attainable locations there are to cover, the longer it typically takes to search out you.

“Exploitation detected”

In accordance with Bleeping Laptop, solely two of the vulnerabilities disclosed this month are listed as being in-the-wild, in different phrases known outside Microsoft and the fast analysis group:

  • CVE-2023-21674: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Confusingly, this one is listed as Publicly disclosed: no, however Exploitation Detected. From this, we assume that cybercriminals already know how one can abuse this bug, however they’re rigorously preserving the small print of the exploit to themselves, presumably to make it tougher for risk responders to know what to search for on programs that haven’t been patched but.
  • CVE-2023-21549: Windows SMB Witness Service Elevation of Privilege Vulnerability. This one is denoted Publicly disclosed, however nonetheless written up as Exploitation Much less Probably. From this, we infer that even when somebody tells you the place the bug is situated and the way you would possibly set off it, determining how one can exploit the bug efficiently and really reaching an elevation of privilege goes to be tough.

Intriguingly, the CVE-2023-21674 bug, which is actively in use by attackers, isn’t on the Home windows 7 patch listing, but it surely does apply to Home windows 8.1.

The second bug, CVE-2023-21549, described as publicly recognized, applies to each Home windows 7 and Home windows 8.1.

As we stated above, newly found flaws typically go a good distance.

CVE-2023-21674 applies all the way in which from Home windows 8.1 to the very newest builds of Home windows 11 2022H2 (H2, in case you had been questioning, means “the discharge issued within the second half of the yr”).

Much more dramatically, CVE-2023-21549 applies proper from Home windows 7 to Home windows 11 2022H2.

What to do with these previous computer systems?

In case you’ve acquired Home windows 7 or Home windows 8.1 computer systems that you simply nonetheless take into account usable and helpful, take into account switching to an open supply working system, equivalent to a Linux distro, that’s nonetheless getting each assist and updates.

Some group Linux builds specialize in preserving their distros small and easy

Though they might not have the most recent and best assortment of picture filters, video modifying instruments, chess engines and high-resolution wallpapers, minimalist distros are nonetheless appropriate for searching and e-mail, even on previous, 32-bit {hardware} with small exhausting disks and low reminiscence.


READ THE SOPHOSLABS REPORT ON THIS MONTH’S PATCHES