John Pescatore, an analyst for Gartner who covers security, agreed with the minority. "I think Microsoft did the right thing here," he said in an e-mail. "I would much rather see solid, well-tested patches for the highest risk vulnerabilities -- which means first the ones where there are active exploits out -- come out first, rather than wait for all versions to be patched simultaneously, or to rush out immature patches quickly and require re-patching later."

Andrew Storms, director of security operations at nCircle Network Security, took a middle path. "I wouldn't say that [Frantzen] has gone too far. Microsoft really owns 'responsible disclosure,' both in the PR sense and in the sense that they've been able to get researchers to do it," said Storms. "You don't break your own mantra.

"Regardless, I disagree with him," Storms continued, "simply because the proof-of-concept code has been out there for a month." If no one has taken that sample code, and used it to investigate, then create a working exploit for the Mac in the past month and more, Storms argued, it was very unlikely that they would go to the additional work of reverse engineering the Windows patches to figure out how to build an exploit for the Mac.

"Why would they take the harder path," Storms asked, "when they haven't taken the easier?"

Microsoft was not able to immediately provide someone from its security response center to argue the company's side of the responsible disclosure debate, but yesterday it to release PowerPoint patches for Windows but not for Mac OS X.