A security researcher who disclosed a zero-day vulnerability in Internet Explorer on Wednesday complained that Microsoft's security team gave him the brush-off and sent him a "rather threatening e-mail."
Ironically, the bug is in how IE warns users of potentially unsafe active content on a Web site, such as an ActiveX control.
Matthew Murphy posted a detailed description of the IE bug to the Full Disclosure security mailing list, where he noted that security dialogs could be used by attackers to hijack computers or install their own code on the compromised machines.
The security dialogs, said Murphy, are an exploitable weakness, especially in older versions of Windows, such as Windows 98, Windows 2000, and Windows XP SP1. But even newer OSes are vulnerable.
"On newer systems [Windows XP SP2, Windows Server 2003] the impact of this vulnerability is more limited, but remains serious," he said.