Microsoft has explained its rationale for quietly fixing some security vulnerabilities without issuing an associated bulletin.
Such "silent updates" have been happening for years, but have escaped much notice outside the small community of reverse engineers. Normally the bugs in question are close relatives of disclosed vulnerabilities that emerge during the verification of suspected security problems using fuzzing and other approaches.
Associated flaws can increase the security (or exploitability) rating of their publicly disclosed siblings, but don't necessarily earn a bulletin all to themselves or inclusion in the Common Vulnerabilities and Exposures (CVE) database.
Microsoft said it is not under any obligation to add the silent bugs to the database because the index is restricted to publicly disclosed flaws. Security bugs discovered during internal testing are not included in this category.
A blog posting by Gavin Thomas of Microsoft Security Response Center explaining the issue in greater depth can be found here. ®