Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches
Credit to Author: Paul Ducklin| Date: Wed, 11 Jan 2023 00:22:30 +0000
As far as we can tell, there are a whopping 2874 items in this month’s Patch Tuesday update list from Microsoft, based on the CSV download we just grabbed from Redmond’s Security Update Guide web page.
(The website itself says 2283, but the CSV export contained 2875 lines, where the first line isn’t actually a data record but a list of the various field names for the rest of the lines in the file.)
Glaringly obvious at the very top of the list are the names in the Product column of the first nine entries, dealing with an elevation-of-privilege (EoP) patch denoted CVE-2013-21773 for Windows 7, Windows 8.1, and Windows RT 8.1.
Windows 7, as many people will remember, was extremely popular in its day (indeed, some still consider it the best Windows ever), finally luring even die-hard fans across from Windows XP when XP support ended.
Windows 8.1, which is remembered more as a sort-of “bug-fix” release for the unlamented and long-dropped Windows 8 than as a real Windows version in its own right, never really caught on.
And Windows RT 8.1 was everything people didn’t like in the regular version of Windows 8.1, but running on proprietary ARM-based hardware that was locked down strictly, like an iPhone or an iPad – not something that Windows users were used to, nor, to judge by the market reaction, something that many people were willing to accept.
Indeed, you’ll sometimes read that the comparative unpopularity of Windows 8 is why the next major release after 8.1 was numbered Windows 10, thus deliberately creating a sense of separation between the old version and the new one.
Other explanations include that Windows 10 was supposed to be the full name of the product, so that the 10 formed part of the brand new product name, rather than being just a number added to the name to denote a version. The subsequent appearance of Windows 11 put something of a dent in that theory – but there never was a Windows 9.
The end of two eras
Shed your tears now, because this month sees the very last security updates for the old-school Windows 7 and Windows 8.1 versions.
Windows 7 has now reached the end of its three-year pay-extra-to-get-ESU period (ESU is short for extended security updates), and Windows 8.1 simply isn’t getting extended updates, apparently no matter how much you’re willing to pay:
As a reminder, Windows 8.1 will reach end of support on January 10, 2023 [2023-01-10], at which point technical assistance and software updates will no longer be provided. […]
Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.
So, it really is the end of the Windows 7 and Windows 8.1 eras, and any operating system bugs left on any computers still running those versions will be there forever.
Remember, of course, that despite their ages, both those platforms have this very month received patches for dozens of different CVE-numbered vulnerabilities: 42 CVEs in the case of Windows 7, and 48 CVEs in the case of Windows 8.1.
Even if contemporary threat researchers and cybercriminals aren’t explicitly looking for bugs in old Windows builds, flaws that are first found by attackers digging into the very latest build of Windows 11 might turn out to have been inherited from legacy code.
In fact, the CVE counts of 42 and 48 above compare with a total of 90 different CVEs listed on Microsoft’s official January 2023 Release Notes page, loosely suggesting that about half of today’s bugs (in this month’s list, all 90 have CVE-2023-XXXX date designators) have been waiting around to be found in Windows for at least a decade.
In other words, in the same way that bugs uncovered in old versions may turn out still to affect the latest and greatest releases, you will also often find that “new” bugs go way back, and can be retrofitted into exploits that work on old Windows versions, too.
Ironically, “new” bugs may ultimately be easier to exploit on older versions, due to the less restrictive software build settings and more liberal run-time configurations that were considered acceptable back then.
Older laptops with less memory than today were typically set up with 32-bit versions of Windows, even if they had 64-bit processors. Some threat mitigation techniques, notably those that involve randomising the locations where programs end up in memory in order to to reduce predictability and make exploits harder to pull off reliably, are typically less effective on 32-bit Windows, simply because there are fewer memory addresses to choose from. Like hide-and-seek, the more possible places there are to hide, the longer it generally takes to find you.
“Exploitation detected”
According to Bleeping Computer, only two of the vulnerabilities disclosed this month are listed as being in-the-wild, in other words known outside Microsoft and the immediate research community:
- CVE-2023-21674: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Confusingly, this one is listed as Publicly disclosed: no, but Exploitation Detected. From this, we assume that cybercriminals already know how to abuse this bug, but they’re carefully keeping the details of the exploit to themselves, presumably to make it harder for threat responders to know what to look for on systems that haven’t been patched yet.
- CVE-2023-21549: Windows SMB Witness Service Elevation of Privilege Vulnerability. This one is denoted Publicly disclosed, but nevertheless written up as Exploitation Less Likely. From this, we infer that even if someone tells you where the bug is located and how you might trigger it, figuring out how to exploit the bug successfully and actually achieving an elevation of privilege is going to be difficult.
Intriguingly, the CVE-2023-21674 bug, which is actively in use by attackers, isn’t on the Windows 7 patch list, but it does apply to Windows 8.1.
The second bug, CVE-2023-21549, described as publicly known, applies to both Windows 7 and Windows 8.1.
As we said above, newly discovered flaws often go a long way.
CVE-2023-21674 applies all the way from Windows 8.1 to the very latest builds of Windows 11 2022H2 (H2, in case you were wondering, means “the release issued in the second half of the year”).
Even more dramatically, CVE-2023-21549 applies right from Windows 7 to Windows 11 2022H2.
What to do with those old computers?
If you’ve got Windows 7 or Windows 8.1 computers that you still consider usable and useful, consider switching to an open source operating system, such as a Linux distro, that is still getting both support and updates.
Some community Linux builds specialise in keeping their distros small and simple
Even though they may not have the latest and greatest collection of photo filters, video editing tools, chess engines and high-resolution wallpapers, minimalist distros are still suitable for browsing and email, even on old, 32-bit hardware with small hard disks and low memory.