14 DAY TRIAL // Microsoft has detailed its policy of patching in-house discovered bugs silently and tried to answer the most frequently asked questions regarding this procedure.
The fact that Microsoft doesn't disclose all patched vulnerabilities in Security Bulletins is not a secret. This was admitted by the company in 2006.
This somewhat controversial policy applies to bugs discovered during the "Hacking for Variations" (HfV) process, which aims to limit the number of similar flaws in a product.
When the company receives reports of a vulnerability, it also inspects the source code for similar bugs and runs a plethora of tools, including fuzzers, against the vulnerable component.
Any flaw discovered in this way is considered a variant of the originally reported vulnerability and it doesn't get publicly disclosed, nor does it receive a CVE identifier.
However, these bugs do count when determining the severity and exploitability index of a security bulletin. "Aggregate severity, guidance and Exploitability Index ratings for a bulletin always take into account the variants," stresses Gavin Thomas from MSRC-Engineering.
As far as not securing CVE numbers goes, the engineer points out that the Common Vulnerabilities and Exposures database is for publicly known vulnerabilities only.
Also, the exact number of fixed variations is not always known because the patch might involve backporting a chunk of code from an unaffected version of the product.
Whether Microsoft is right to keep in-house discovered vulnerabilities secret or not can be debated, but one thing's sure, the company does indirectly profit from it.
Even though most security-minded individuals realize that comparing vulnerability numbers has no value, some companies still put out such "studies" from time to time.
And unfortunately, because they appeal to the non-technical, these are usually the most publicized ones, leading to a false sense of security regarding some of Microsoft's products.