“We all know from past experience the reverse engineering of patches back into exploits starts at the time — if not before — the patches are released,” Mr. Frantzen said. “Typically it takes between hours and a few days or so to complete this if it’s easy to exploit.”
In this case, the flaws could allow an attacker to run arbitrary code on a user’s computer by tricking them into opening a maliciously crafted PowerPoint file.
Microsoft security engineer Jonathan Ness defended the move by saying “We normally do not update one supported platform before another, but given this situation of a package available for an entire product line that protects the vast majority of customers at risk within the predictable release cycle, we made a decision to go early with the Windows packages.”
He added that none of the exploit samples Microsoft has analyzed will reliably work on the Mac, so the company didn’t see an issue with releasing information about the flaws before offering a security patch for Office 2004 and Office 2008.
Mr. Frantzen, however, doesn’t see Microsoft’s move as responsible. “Microsoft is the one big company screaming loudest of all over responsible disclosure,” he said.