Microsoft has posted an entry on their TechNet blog regarding additional undocumented fixes which are included in the security updates Microsoft provide on “Patch Tuesday”.
In the clarification Microsoft points out that when it internally discovers variants of publicly known vulnerabilities, the variants are fixed but they are not documented. However Microsoft do rank the severity and importance of vulnerabilities and the corresponding patches based on the public knowledge and Microsoft’s internal understanding of the problem and any variants.
As an example Microsoft cite a fix to Office last November. During their investigation the assessment team found a variant vulnerability. This variant was actually easier to exploit than the original externally reported vulnerability, so the Exploitability Index rating was updated to a 1. The severity remained the same as the risk remained unchanged.
Microsoft point out that:
- As part of Microsoft’s comprehensive security update process, Microsoft will address variants of reported issues. Variants are internally found issues similar to the reported vulnerability, and are not documented in security bulletins.
- The overall severity of the bulletin will reflect the highest severity of any vulnerability fixed, whether it was an externally reported vulnerability or internally found variant. The same is also true for the Exploitability Index rating.
- The guidance Microsoft provides on bulletins and blogs takes into account all fixes done in a security update. For example, a workaround will mitigate the reported vulnerability as well as potential variants.
So in this case, Microsoft is defending its right to fix security issues without disclosing them to the public. Are they right to do so? Leave a comment below to let us know what you think.