Microsoft doesn’t report all security vulnerabilities that it fixes, “We don’t document every issue found. Microsoft’ll issue Common Vulnerabilities and Exposures number to vulnerability for flaws that share same severity properties, they willn’t be reported separately,” Mike Reavey said.
The nondisclosure of fixes was brought to light by Core Security Technologies, after studying security bulletin MS10-024 / 028, it noticed three silent fixes. MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of system. Microsoft didn’t report additional flaws it patched in Visio because: “The attack vector was exactly same, severity was exactly same. From a customer’s perspective, same workaround — not opening Visio documents from untrusted sources — applied,” Reavey.
Adobe too is keeping quiet about internal vulnerability fixes. At a Microsoft event, Adobe’s Brad Arkin, admitted that it won’t assign CVE numbers to bugs that the firm found itself. Adobe considers these updates “code improvements,” Arkin said. CVE numbers are used only for bugs that’re actively exploited or that were reported by external researchers.