Computerworld: Microsoft has confirmed the existence a bug in Windows XP and Windows Server 2003 which could be used to download malware onto users' PCs, but claims that the vulnerability is not currently being exploited in the wild. Redmond says that it is working on a patch but has not said when the patch will become available.
The bug--and a proof-of-concept exploit--were made public on Thursday by Google employee Tavis Ormandy. He has come under criticism for releasing the security flaw just four days after notifying Microsoft of the problem. "This issue was reported to us on June 5, 2010 by a Google security researcher and then made public less than four days later, on June 9, 2010," said Microsoft's Mike Reavey. "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk."