Computerworld: Ivan Arce, the chief technology officer of Core Security Technologies, says that Microsoft patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without telling their customers about it. "They're more important than the [two vulnerabilities] that Microsoft did disclose," said Arce. "That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk."
However, most security experts say that the practice isn't that unusual. "Vendors commonly find bugs themselves in released code and will distribute the fixes inside a bundle of other patches," noted Andrew Storms of nCircle Security. "Many times there simply is no benefit to anyone to disclose the bug."
Microsoft has acknowledged the secret patches.