Computer Terrorism issued a security advisory on Monday and published proof-of-concept code demonstrating how a known flaw in Internet Explorer could be used to execute code. The method could be used by an attacker to take control over a system.
It is common practice in the security industry to allow software vendors time to develop a patch before details about any vulnerabilities are published. Such details could help malware authors in creating exploits for the flaw and could put the security of end users at risk.
Microsoft is alleging that Computer Terrorism broke with that practice. " Microsoft is disappointed that certain security researchers have breached common industry practices and published proof-of-concept code potentially harming computer users," a company spokesman told vnunet.com.
"Microsoft continues to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so that they do not aid criminals in their attempt to take advantage of software vulnerabilities."
However, senior security research analyst Simon Robinson argued that Computer Terrorism had no choice. The Internet Explorer flaw was originally published in May but at the time was considered to form only a minor security threat.
"It should never have been classified as a low-level vulnerability," Robinson told vnunet.com. "It should have been a moderate risk. When we picked up that it could be exploitable, we were astonished at how easy it was."
By going public the firm sought to warn end users that they were facing a severe risk. "We had a strong belief that is was already being exploited in the wild," said Robinson.
He emphasised that the firm is talking to Microsoft about the security report and in other cases does follow the industry's non-disclosure guidelines.
"This case where the severity rating of a known flaw had to be elevated to 'highly critical' is unprecedented and justified a deviation from common practices," he said.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches