Earlier this month, security agency Core Security Technologies pointed out that Microsoft quietly fixed three security vulnerabilities using patches released last month without providing any notification to system administrators. The two patches with this problem are MS10-024 and MS10-028. . A few days ago, Microsoft admitted that it would not disclose all security vulnerabilities when fixing the software. Mike Reavey of the Microsoft Security Response Center (MSRC) said: "We will not publish all the issues we find."
Reavey explained that Microsoft will provide a Common Vulnerability Exposure (CVE) of the vulnerability, including the severity of the vulnerability, attack vectors and workarounds. If the CVE parameters of several vulnerabilities are the same, Microsoft will not publish them separately.
Microsoft did not report the other vulnerabilities it fixed in Visio because: "They have exactly the same attack vector and are no less severe. From a consumer perspective, the same workarounds are available: Don't use untrusted sources. Open the Visio document there."