Microsoft Explains Its 'Silent Update' Patch Practice
Microsoft on Monday offered some rare insight into its patching process, specifically concerning "silent updates," in a TechNet blog post.
Silent updates refer to vulnerability fixes that aren't documented in Microsoft security bulletins, yet relate to a specific documented problem, according to Microsoft's definition. It's a phenomenon better known to professional security researchers who track such matters.
"We understand that researchers will reverse engineer our updates when released, and that they will look for similar security vulnerabilities to the one reported; these similar vulnerabilities we call variants," wrote Gavin Thomas, a Microsoft Security Response Center engineer, in the blog post.
The difference between the vulnerability and the variant is that the latter is not a publicly known hole. Microsoft attaches these found "silent updates" to its monthly security updates as a precautionary action. The aim, according to Microsoft, is to avoid discovery and exploitation by an outside party.
Besides not being documented in the security update they're attached to, the variants are also excluded from the Common Vulnerability and Exposures (CVE) index -- a public database of known security vulnerabilities and exposures. Microsoft isn't publicly reporting the number of vulnerabilities associated with these variants.
"In many cases allocating a CVE would not be practical, for example, in some cases the security update is simply a back-port of code from a newer version of the product that has gone through the SDL [security development lifecycle] processes or perhaps the security update converted all unsafe string copy API calls to safe versions, Thomas wrote. "It's tough to know in cases like this how many vulnerabilities were addressed by this kind of bulk code change."
While the variants are not disclosed to users, they are taken into consideration when assigning a security update with a severity rating and guidance. Thomas states that because variants of a vulnerability are closely related, the severity level of the update will only increase in rare situations. However, the Exploitability Index of a vulnerability will raise based on the number of variants.