The chief technology officer of Core Security Technologies, Ivan Arce, says that Microsoft patched three vulnerabilities last month that it did not disclose. Such a move appears to be perfectly reasonable at first glance; as Microsoft analyzes and repairs a particular problem, additional flaws could well be uncovered that have to be addressed quickly. In addition, Microsoft's corporate policy is not to disclose flaws that were discovered internally.

The problem, according to Arce, is that such undisclosed patches could result in the significance of the updates to be downplayed. This could inadvertently cause businesses to be less aggressive in rolling out the new security patches.

Last month, Microsoft packaged an update to Exchange and Windows SMTP Service together with security bulletin MS10-024. These two "silent" patches are actually more important than the two vulnerabilities that Microsoft did disclose, says Arce. Since they were not officially informed, however, system administrators may well "end up making the wrong decisions about applying the update." 

Delays in applying security updates could be problematic, given that hackers and security companies alike routinely compare the patched files with earlier versions in order to detect and develop actual exploits or penetration tests. As such, having the full information is required for them to assess the risk appropriately.

For more on this story:
- check out the article at Computerworld
- check out the article at Ars Technica 

Related Articles:
Hackers fix Microsoft security patch BSOD problem
Microsoft: Malware the cause of security update BSOD
Microsoft issues emergency patch for Internet Explorer
Six security patches in November, says Microsoft
Open source gets vote of confidence from White House
Microsoft plug-in for Firefox patched