'

Microsoft's silent, secret security updates

[UPDATED] Does Microsoft find and fix security problems in their own products? You might assume so, but the company gives no reason to believe it. I assume they do, but silently.

It's an odd and conspicuous feature of Microsoft's security bulletins that they never report vulnerabilities found internally at Microsoft. All of the credits go to outsiders. 

For example, yesterday's Patch Tuesday updates  fixed 32 identified vulnerabilities, none of which were credited to Microsoft. These companies, bug bounty programs and individuals were credited:

  • Baidu Security Team (X-Team)
  • Context Information Security
  • EY
  • Esage Lab
  • Google Project Zero
  • Google Security Team
  • HP's Zero Day Initiative
  • IBM X-Force
  • Kaspersky Lab
  • KoreLogic Security
  • McAfee Security Team
  • Palo Alto Networks
  • Qihoo 360
  • Secunia Research
  • Two unaffiliated individuals: Takeshi Terada, Daniel Trebbien

I eyeballed every disclosure released this year and saw no vulnerabilities credited to Microsoft. I've been following this for many years and can say that it's always been thus.

There are some vaguer cases. The blockbuster Schannel vulnerability in MS14-066 is stated to be "privately-reported" but no credit is given; this happens now and then, perhaps ten times this year.

Update on November 12: By coincidence (?) a blog entry yesterday by the Microsoft Security Research and Defense team says that the MS14-066 bug was "Internally found during a proactive security assessment." This conflicts with the claim in the bulletin that it was "privately reported." If it's true and such cases are in fact internally-detected vulnerabilities they are infrequent.

Sometimes the credited party is named with no organizational affiliation, as with the two individuals in the list above, but I've checked a bunch of these and none of them are Microsoft people. Sometimes the credited party is anonymous, but always reported as an outsider reporting to Microsoft. (As an aside, with this month Microsoft has started putting all the credits in a single acknowledgements page rather than spreading them around the individual security bulletins.)

Does Microsoft actually never find vulnerabilities in their own products? This is hard to believe. Both Google and Apple regularly give credit to internal researchers. If Microsoft does find vulnerabilities, what's happening to them? Does Microsoft just not fix them? Do they pass them on to friends who get bug bounties from HP's ZDI (Zero Day Initiative)? Or maybe Microsoft or their employees go directly to ZDI. Consider these two credits from the August Cumulative Security Update for Internet Explorer:

  • An anonymous researcher, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-4052)
  • Sky, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-4058)

Who's to say these aren't Microsoft employees?

But I think it's more likely Microsoft is hiding security updates inside other updates, such as non-security updates. Consider the episode a few months ago when Microsoft had to pull a number of updates after they borked users' systems. One of those updates was an "Update to support the new currency symbol for the Russian ruble in Windows." This is one of the updates that caused systems to go into infinite reboot loops. Just for adding a new Ruble symbol to the system you get that kind of catastrophic failure? Perhaps there was more to it.

Alternatively, Microsoft could be hiding security updates inside of other security updates. There have been ten Cumulative Updates for Internet Explorer so far this year. It would be easy to hide another patch in one of those. In the September Cumulative Update Microsoft said "In addition to the changes that are listed for the vulnerabilities described in this bulletin, this update includes defense-in-depth updates to the Internet Explorer XSS Filter to help improve security-related features." The same text is in the June Cumulative Update. That's some pretty elastic description there and Cumulative updates, by definition, are large and complicated.

The main argument for why I'm wrong is that it would be possible for outsiders to reverse-engineer the differences between versions, as they are said to do in order to find the vulnerable code and write exploits for it, and they would then write exploits for the silently-patched vulnerabilities. But perhaps this actually happens all the time. (That's what I see as the main argument; please tell me why you think I'm wrong in the comments below.)

Of course I don't actually know that Microsoft is hiding secret security updates, but the alternatives aren't exactly flattering. It's especially odd to think that Microsoft doesn't hunt for security bugs in their own products when they do so in other companies'. Just yesterday, one of the many vulnerabilities fixed by Adobe in Flash Player (CVE-2014-8442) was reported by "Behrang Fouladi and Axel Souchet of Microsoft Vulnerability Research."

Over the last ten years or so Microsoft has gone to great lengths to gain credibility in security and I think they are generally respected in this regard. Why would they not acknowledge any internally-discovered vulnerabilities? Sounds incredible to me.

Microsoft declined to comment.