The Microsoft-Spurned Researcher Collective posted their message anonymously using an account from the Hushmail service and listed six names supposedly associated with the group. The names, however, were represented only by multiple Xs.
The group also called on other researchers to join it and along the way took another jab at its opponent. "We do have a vetting process, by the way, for any Microsoft employees trying to join," the group said.
Microsoft confirmed it was investigating the bug, but said the risk to users was minimal. "Our initial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local Denial of Service," said Jerry Bryant, a group manager with the company's MSRC, in an e-mail late Monday.
In another e-mail, Bryant said he bug didn't meet the bar for releasing a security advisory, Microsoft's usual first step in the process it goes through to patch a problem.
Danish vulnerability tracking firm Secunia agreed with Microsoft that the bug was relatively minor, classifying it as a "less critical" threat , the second-lowest ranking in its five-step system. According to Secunia, the bug affects fully patched versions of Windows Vista Business SP1 and Windows Server 2008 Enterprise SP1 and SP2, and possibly other editions of operating system.
The flaw revealed by the Microsoft-Spurned Researcher Collective was not the only unpatched vulnerability to go public in recent days.
On Monday, Secunia published an advisory that outlined a "moderately critical" bug in Windows 2000 and Windows XP that could be used to hijack PCs. Via Twitter on Monday, Microsoft said it was investigating that bug report as well , and said it would provide an update "when we have more information."