Microsoft says hackers have attacked some computers by exploiting a flaw in Internet Explorer 8 that was disclosed in May by a Google researcher.
Google security engineer Tavis Ormandy came under fire for publicising the flaw without telling Microsoft first, but the company was able to issue a patch in its June Patch Tuesday security update.
Microsoft provided few details about the attacks, but said hackers had exploited the flaw to carry out "targeted attacks", according to the Guardian.
Tavis Ormandy has clashed on several occasions with Microsoft, which encourages researchers to disclose flaws responsibly so attackers cannot exploit vulnerabilities before they are fixed.
Ormandy published his advisory, including exploit code, just five days after reporting the vulnerability to Microsoft.
Read more about patching
- Red October exploits patched Excel and Word flaws, experts say
- Software patching 2.0: Cutting costs with virtual patching, automation
- Security Zone: Patch me please
- Infosec 2012: Patching alone can deliver 80% protection
- Study finds attacks slip past spotty patch management policies
At the time, the Microsoft said reporting vulnerabilities directly to suppliers without further disclosure helped ensure customers receive high-quality updates before vulnerabilities are exploited.
However, the fact that the flaw is being exploited after the release of a security update highlights the importance of keeping all software up to date.
Failure to patch software applications exposes computer systems to attackers exploiting known vulnerabilities, research has shown.
Keeping software up to date with security patches can deliver 80% protection from cyber threats, Secunia research analyst Stefen Frie told attendees of Infosec Europe 2012 in London.
The best way for enterprise information security professionals to deal with the onslaught of malware is by applying enterprise software security updates as soon as possible, he said.