Google: Dangerous for users when Microsoft does not patch Windows the same way on the OS

Google's leading security team, Project Zero, said that Microsoft is putting users at risk when there is no uniformity when patching the Windows operating system versions.

One of Google's researchers came to this conclusion after discovering the CVE-2017-8680 vulnerability, the vulnerability only affects Windows 7 and 8.1, not Windows 10. Further analysis shows Microsoft has patched it internally but not given to other OSs.

Realizing that something was wrong, researcher Mateusz Jurczyk took a closer look by comparing the latest updates of Windows 7, 8.1 and 10.

Patch does not uniformly nourish for new errors

Jurczyk then discovered a patch for some of the bugs applied in different ways for each OS, resulting in a new error. Thus he discovered CVE-2017-8684 and CVE-2017-8685, two vulnerabilities that only affect Windows GDI + on Windows 7 and 8.1.

Different patch codes create a source of vulnerability

Jurczyk tried to conclude that 'the difference in similar security flaws in different versions of the same product can help malicious code discover key weaknesses or just common errors on old versions'.

Different Windows patches help create an environment for new bugs

Different patch codes allow an attacker to create a source of vulnerability (attack direction). As soon as Microsoft released an update, an attacker could compare the patches of Windows 7, 8.1 and 19, finding a similarity that could create a new error.

Researchers also point out that Patch & Diff is a simple way. 'Amateurs can also be easily used to identify the three new vulnerabilities mentioned above'.

Other software may be affected

With Windows, as such, heterogeneous patching problems can also affect other software such as Oracle, Linux or Cisco . 'We encourage the adoption of identical security patches on software versions. supported ', Jurczyk.