Microsoft has released the first Patch Tuesday batch following its controversial decision not to warn IT admins in advance what it plans to fix.
The change triggered widespread protest in the cybersecurity industry when it was announced last week, with the security analytics vendor Rapid7 condemning it as "an assault on IT and IT security teams".
Ross Barrett, senior manager of security engineering at Rapid7, said: "It seems that Microsoft’s trend towards openness in security has reversed and the company that was formerly doing so much right, is taking a less open stance with patch information.
"It is extremely hard to see how this benefits anyone, other than, maybe who is responsible for support revenue targets for Microsoft."
Of the eight bulletins released in the patch at least three were publicly known, with one actively under attack according to the Lumension, which specialises in patch management.
Two of the flaws were publicly disclosed by Google before they were fixed, both of which could have allowed a hacker to grant himself administrative privileges and execute harmful commands on a hijacked machine.
Microsoft criticised Google’s behaviour in the wake of the announcement, even though the search engine waited a routine 90 days after private disclosure to the software vendor before revealing what they had found.
Karl Sigler, threat intelligence manager at cybersecurity firm Trustwave, argued that bug researchers should "be flexible" around bug disclosure, adding that "bugs embedded deep in an operating system’s architecture" would be more difficult to fix.
However he added that deadlines could be important. "If the ‘good guys’ are finding this vulnerability, there’s good reason to think that criminals have found it too," he said.
"Sometimes sticking to your deadlines is the only way to light a fire under an organisation and actually get them to take the vulnerability seriously."