- Jan 24, 2011
- 9,378
Microsoft updates regularly contain fixes for security vulnerabilities which are not listed in its security bulletins. Microsoft defends these 'silent updates', as they are known within the security community, in a blog posting by its Security Research & Defense team.
When a security bug is fixed, the security team not only checks adjacent code for further vulnerabilities, it also looks for similar bugs elsewhere. It also occasionally lets fuzzers loose on the program in question. Microsoft designates such finds as 'variants', and they are defused with a minimum of fuss. They do, however, affect the classification given in bulletins. It can easily be the case that Microsoft increases the exploitability index of a bulletin due to a non-publicly disclosed variant.
Such security vulnerabilities also go unrecorded in the Common Vulnerabilities and Exposures (CVE) database, which is frequently used for comparative studies. Microsoft justifies not applying for CVE numbers for these 'variants' by pointing out that the CVE project purports to be a list of "publicly known" security vulnerabilities. The company points out that this would not apply to security issues discovered internally.
More details - link
When a security bug is fixed, the security team not only checks adjacent code for further vulnerabilities, it also looks for similar bugs elsewhere. It also occasionally lets fuzzers loose on the program in question. Microsoft designates such finds as 'variants', and they are defused with a minimum of fuss. They do, however, affect the classification given in bulletins. It can easily be the case that Microsoft increases the exploitability index of a bulletin due to a non-publicly disclosed variant.
Such security vulnerabilities also go unrecorded in the Common Vulnerabilities and Exposures (CVE) database, which is frequently used for comparative studies. Microsoft justifies not applying for CVE numbers for these 'variants' by pointing out that the CVE project purports to be a list of "publicly known" security vulnerabilities. The company points out that this would not apply to security issues discovered internally.
More details - link
