Microsoft's security patches sometimes fix more problems than their descriptions let on. This is not a new problem, nor is it unique to Redmond. As much as anything else, it is a consequence of the way patches are produced: when a vendor is analyzing and fixing one flaw, they might well discover other flaws in the same piece of code, and their patch will fix the whole set.

However, research by one security company, Core Security Technologies, suggests that in so doing, Microsoft may be underplaying the significance of various patches, which may lead companies to be less aggressive in rolling out patches for critical flaws.

In particular, the company believes that secret fixes in two of last month's patches make the patches more important than Microsoft's bulletins suggest. It has issued its own bulletins to discuss the additional fixed flaws.

Core Security Technologies analyzes patches to produce attacks for use with its penetration software; it uses real exploits to detect network vulnerabilities. Attackers do the same: comparing patched files to unpatched files to learn exactly what was patched is a common technique, which is one of the reasons that accurate assessments and timely deployment are so important.

Corporate policy at Microsoft—and many other vendors—is to not disclose these internally-discovered flaws. They are mentioned neither in the industry-wide CVE database, nor in the notes to each bulletin.

If the public flaws are less serious than the other flaws that a patch repairs, there is a danger that the importance of the patch will be underestimated by users, and that they will be lulled into a false sense of security. In conjunction with the fact that releasing a patch often makes exploitation of the flaw more likely (due to the aforementioned analysis of the patches), this is a dangerous situation.

Both of the fixes in question were given an "Important" rating, Microsoft's second highest, and even with the additional flaws taken into consideration, those ratings are still likely to be reasonable. Nevertheless, it is still an issue to consider in the future: there may be more to a patch than meets the eye.