I wrote about undisclosed or silent patches earlier, with regard to Microsoft and Google.

Another consulting firm now has made a public announcement about the same issue.

Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.

Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as “important,” its second-highest threat ranking.

I still give Microsoft credit for improving its practices significantly over the years. This is only a slight twist on that same issue. The risk determination is what the consulting firm is complaining about, rather than a patch with no evidence or notice as in the case of Google. The firm contends that Microsoft “‘misrepresented’ and ‘underestimated’ the criticality” of a patch. Microsoft has countered that the fixes were documented and would have been installed within the larger group of released patches.