It’s no secret that Microsoft is focusing on Windows 10 more than on any other Windows version, but Google has recently criticized this approach, explaining that Redmond actually leaves other users, including those running Windows 7, vulnerable to hackers.
In a post detailing how Windows 10 patches can be used to discover vulnerabilities in Windows 7, Google Project Zero researcher Mateusz Jurczyk explains that what Microsoft should do is release patches for all supported versions of the operating system at the same time.
Otherwise, there’s a chance that hackers inspect the code of the updates that Microsoft releases for Windows 10, and given that the most recent versions of the operating system share the base code, to find ways to exploit systems running Windows 7.
“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows,” the security expert from Google explained.
Jurczyk goes on to explains how he actually managed to discover zero-day vulnerabilities in Windows 7 using this method, revealing that the same thing can be done even by non-advanced attackers.
“We hope that these were some of the very few instances of such "low hanging fruit" being accessible to researchers through diffing, and we encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software,” he explained in the rather technical analysis that you can read in full here.
On the other hand, Microsoft says that it’s committed to protecting all of its users, but emphasizes that the best security can only be provided once upgraded to Windows 10.
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” a company spokesperson replied.