"This issue was reported to us on June 5, 2010 by a Google security researcher and then made public less than four days later, on June 9, 2010," said Mike Reavey, the director of the Microsoft Security Response Center (MSRC). "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk."
According to the time stamp on Ormandy's message to the Full Disclosure mailing list, he posted it at 1:46 a.m. Swiss time on June 10, or 4:46 p.m. PT on June 9.
The two companies have traded blows this year that have included public arguments about the quality of each other's software suites -- Google Docs and Microsoft Office -- and about reports that Google wants to phase out Windows inside the company over security concerns.
Some security researchers blasted Ormandy for going public when Google's policy is to not reveal a bug until the affected vendor has a chance to fix the flaw. "Google can't have their cake and eat it too," said Robert Hansen, the CEO of SecTheory, in an interview yesterday.
Ormandy declined to comment when contacted by e-mail. In a message on Twitter late Thursday, however, he said, "The HelpCtr bug today was intended as a personal project. It sucks that work has been dragged into it."
The Help and Support Center vulnerability was the eighth zero-day -- the term used to describe a threat for which there is no patch -- that Microsoft has faced so far this year, according to data provided by Andrew Storms, the director of security operations at nCircle Security.
Six of those vulnerabilities have been patched, with fixes released an average of 43 days after Microsoft acknowledged the bug. The fastest turnaround was seven days for an emergency IE patch Microsoft closed in January. Hackers had exploited the bug to break into Google's corporate network . The longest cycle so far this year was 125 days.
Last year, Microsoft handled 10 zero-days, also patching them in an average of 43 days, with a shortest time-to-fix of eight days and a longest of 151 days.
"Despite the fact that Microsoft has made progress in getting researchers to report vulnerabilities, they're not immune to zero-days," said Storms.