Microsoft still using undercover patches
Microsoft updates regularly contain fixes for security vulnerabilities which are not listed in its security bulletins. Microsoft defends these 'silent updates', as they are known within the security community, in a blog posting by its Security Research & Defense team.
When a security bug is fixed, the security team not only checks adjacent code for further vulnerabilities, it also looks for similar bugs elsewhere. It also occasionally lets fuzzers loose on the program in question. Microsoft designates such finds as 'variants', and they are defused with a minimum of fuss. They do, however, affect the classification given in bulletins. It can easily be the case that Microsoft increases the exploitability index of a bulletin due to a non-publicly disclosed variant.
Such security vulnerabilities also go unrecorded in the Common Vulnerabilities and Exposures (CVE) database, which is frequently used for comparative studies. Microsoft justifies not applying for CVE numbers for these 'variants' by pointing out that the CVE project purports to be a list of "publicly known" security vulnerabilities. The company points out that this would not apply to security issues discovered internally.
Another point at which Microsoft is known to carry out silent fixes is major service releases, such as the forthcoming Service Pack 1 for Windows 7. The RTM version, which has already seeped onto the internet, has already been placed under the microscope in this respect. Irrespective of what you think of Microsoft's modus operandi, the blog entry provides a clear reminder that studies based on CVE entries can give only very limited information on the security of software.