I’ve been saying it for years to anyone that I have met while involved in Vulnerability Management. Microsoft packs more code into a patch than is required to fix the published vulnerabiilties, and is quietly patching unpublished security issues. They have done this for years, and continue to do so. Microsoft is known to also carry out silent fixes in major service pack releases.
These security vulnerabilities go unrecorded in the Common Vulnerabilities and Exposures (CVE) database, frequently used for statistical studies. Microsoft justifies not applying for CVE records for these ‘vulnerability variants’ by pointing out that the CVE project purports to be a list of “publicly known” security vulnerabilities. These vulnerabilities are out of scope since they were discovered internally.
Microsoft defends these ‘silent updates’, as they are known within the security community, in a blog posting by its Security Research & Defense team.