Project Zero, Google's top security team, says that Microsoft is putting customers at risk by not patching Windows OS versions in the same way and with the same consistency.
One of the Google researchers reached this conclusion after discovering CVE-2017-8680, a vulnerability that only affected Windows 7 and 8.1, but not Windows 10. A deeper analysis revealed that Microsoft patched the issue internally, but had not backported the fix to the other OS versions.
Realizing that something was amiss, Project Zero researcher Mateusz Jurczyk looked deeper into the issue by patch and binary diffing recent updates for Windows 7, 8.1, and 10.
Jurczyk subsequently found that patches for some bugs had been applied in different ways to each version, resulting in new bugs, some not specific to the other OS branches.
Both issues affected the Windows GDI+ component and were fixed in the September 2017 Patch Tuesday.
The point that Jurczyk is trying to make is "that security-relevant differences in concurrently supported branches of a single product may be used by malicious actors to pinpoint significant weaknesses or just regular bugs in the more dated versions of said software."
Different patch code allows attackers to infer the vulnerability's source (attack vector). As soon as Microsoft releases an update, attackers could patch and binary diff the Windows 7, 8.1, and 10 updates and look for inconsistent patches that may yield new bugs.
The researcher also points out that patch and binary diffing is a simple operation, accessible to all.
"It could have been easily used by non-advanced attackers to identify the three mentioned vulnerabilities (CVE-2017-8680, CVE-2017-8684, CVE-2017-8685) with very little effort," he said.
While confirmed with Windows, the issue of inconsistent patching most likely affects other vendors with large software portfolios, such as Oracle, Linux, Cisco, and others.
"We encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software," Jurczyk said.