I don’t know if this is really news to anybody, but I do like it when I am finally proven to be correct. Here are a couple of good reasons to perform thorough testing of all vendor provided patches. If you can’t see what’s inside by looking at the label, how can you tell what it might break? ComputereWorld has published an article today stating what I have been saying for years. Microsoft does not disclose all of the vulnerabilities that it addresses when it issues a patch. Comparisons of numbers of vulnerabilities reported between vendors paints an inaccurate picture.
“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington. Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately.
The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.
Brad Arkin, Adobe’s director of product security and privacy, admitted that it won’t assign CVE numbers to bugs that the firm found itself. Adobe considers these updates “code improvements”. CVE numbers are used only for bugs that are actively exploited or that were reported by external researchers.