The Cyber Resilience Act lays down mandatory cybersecurity requirements for digital products on the EU market. It clearly requires that security updates - where technically feasible - are provided separately from functionality updates and are also marked accordingly.

However, such atomic security updates make it much easier for exploit developers to perform binary/patch diffing if build artifacts are distributed in plain.

A patched and an unpatched binary version are first compared to determine a delta. An attacker may also generate a visual diff using comparison tools for binary files to quickly find differences in disassembled code.

In most cases, an atomic security update contains minor changes. Less noise in a binary diff helps exploit developers to identify patched code fragments much faster. The identified patched code fragment is most likely a patched security vulnerability which can be weaponized and turned into a working exploit.

As many users are not immediately patching their products, they remain vulnerable for some N-days where they can be exploited. The same delay and critical time window can be observed in organizations as well. Due to regression tests that need to be performed, it takes a while until a security update is rolled out.

Therefore, many attackers are waiting for a Patch Tuesday to analyze Windows updates and craft an exploit on an Exploit Wednesday before all systems are updated. And some systems remain unpatched forever...