Following the outing of a vulnerability in Windows by a security researcher who works for Google, Microsoft said Tuesday that it detected a number of targeted attacks exploiting the flaw.
The revelation was made in a Security alert issued by Microsoft on the same day it addressed the vulnerability in its monthly "Patch Tuesday" package of fixes for July.
"Microsoft detected targeted elevation of privilege attacks after the issue became publicly known," Microsoft Trustworthy Computing spokesperson Dustin Childs said in an email.
Microsoft would not elaborate on its findings.
The vulnerability was aired in May by Tavis Ormandy, who is employed by Google but claimed to be acting independently when he revealed the flaw in a security blog. The vulnerability in Windows 7 and 8 allows local users to obtain escalated privileges, making it easier for a hacker to compromise a system.
Ormandy did not respond to a request for an interview for this story.
Google also declined to comment, although it's believed the company is working with Ormandy to improve communications between the researcher and Microsoft.
Ormandy has been criticized by some in the security community who subscribe to the practice that a vulnerability shouldn't be made public until a software maker has an opportunity to fix it.
"In the past Tavis Ormandy has publicized vulnerabilities in Microsoft's code that have then been exploited by malicious hackers to infect the computers of innocent Internet users," security researcher Graham Cluley said.
"It's hard to argue against the belief that those computer users would not have been hit if Tavis Ormandy had not shared demo code exploiting the vulnerabilities which hackers could build their own attacks upon," he added.
Discovering a previously unknown or "Zero Day" vulnerability carries a lot of responsibility, said Bogdan Botezatu, a senior e-threat analyst with Bitdefender.
"Most of the times, ethical hackers do not disclose proof-of-concept code for unpatched vulnerabilities, because this would dramatically impact the security of users running the respective software," Botezatu said.
"Although in most of the cases disclosure is highly not recommended, more and more security researchers are doing it as a last resort, if the vendor postpones a fix or does not plan to treat the issue," he said.
"Throwing the exploit code into the wild exposes the machines," he added. "But also minimizes the window of opportunity and forces the vendor to come with a fix to avoid mass exploitation."
Cluley explained that members of the security community aren't monolithic in how they treat the vulnerabilities they find.
"There is a hardcore section of the security researcher community who feel it is better for all information to be free, even if a fix is not yet available," he said. "This is, essentially, a religious debate -- with neither side prepared to bend much to accept the others' point of view."
Sign up for CIO Asia eNewsletters.