"They've been doing this forever, MSRC is about managing PR incidents, not improving security," said Tavis Ormandy in a reply to Vupen's tweet.
Ormandy, a Google (GOOG) security engineer, has butted heads with Microsoft before -- most notably last summer, when he released exploit code for a bug in Windows' Help and Support Center after he said Microsoft refused to set a patch deadline.
Microsoft's Bryant said the MSRC researchers are will investigating the bug, and would issue a patch or a workaround to protect users.
Although the company's next regularly-scheduled Patch Tuesday is three weeks away, it's unlikely a fix will be delivered then unless a large number of in-the-wild attacks exploiting the vulnerability appear.
Sign up for CIO Asia eNewsletters.