Microsoft has lashed out at UK security firm Computer Terrorism for publishing details about a software vulnerability in Internet Explorer before the vendor had a chance to issue a patch. 

Computer Terrorism issued a security advisory on Monday and published proof-of-concept code demonstrating how a known flaw in Internet Explorer could be used to execute code. The method could be used by an attacker to take control over a system.

The flaw was believed to have only a minor security impact, but the proof-of-concept code caused security firm Secunia to raise its severity rating to 'highly critical'. 

It is common practice in the security industry to allow software vendors time to develop a patch before details about any vulnerabilities are published. Such details could help malware authors in creating exploits for the flaw and could put the security of end users at risk.

Microsoft is alleging that Computer Terrorism broke with that practice. " Microsoft is disappointed that certain security researchers have breached common industry practices and published proof-of-concept code potentially harming computer users," a company spokesman told vnunet.com. 

"Microsoft continues to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so that they do not aid criminals in their attempt to take advantage of software vulnerabilities."

However, senior security research analyst Simon Robinson argued that Computer Terrorism had no choice. The Internet Explorer flaw was originally published in May but at the time was considered to form only a minor security threat.

"It should never have been classified as a low-level vulnerability," Robinson told vnunet.com. "It should have been a moderate risk. When we picked up that it could be exploitable, we were astonished at how easy it was." 

By going public the firm sought to warn end users that they were facing a severe risk. "We had a strong belief that is was already being exploited in the wild," said Robinson.

He emphasised that the firm is talking to Microsoft about the security report and in other cases does follow the industry's non-disclosure guidelines.

"This case where the severity rating of a known flaw had to be elevated to 'highly critical' is unprecedented and justified a deviation from common practices," he said.

The reported flaw affects fully patched Windows systems running Internet Explorer. Users are advised to turn off JavaScript when they visit untrusted websites, or to switch to an alternative browser such as Opera or Firefox.