Microsoft typically condemns researchers who release information prior to the company providing a patch. "Microsoft continues to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates," the spokesperson added.
She defended the company's lack of action in May on the low threat the vulnerability originally posed. "[It was reported] as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible."
Alfred Huger, senior director of engineering for Symantec's security response team, took Microsoft's side on this one. "There are so many [security] issues that they have to deal with, they have to do triage," he said, referring to the prioritizing practice. "I don't see this as any kind of malicious inattention."
As is its practice, Microsoft would not commit to a timetable for patching the flaw. "We will issue a fix for this issue once the investigation is complete and the update is found to be well engineered and as thoroughly tested as possible," said the spokesperson.