"The bug is actually much 'deeper' than most people realize," said Dullien, "[and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue."

Additionally, said Dullien and Elser, third-party developers may have used the same flawed library to create their own applications. "The bug might have weaseled its way into third-party components, if anyone outside of Microsoft had access to the broken ATL versions," said Dullien. "If this has happened, Microsoft might have accidentally introduced security vulnerabilities into third-party products." Dullien claimed that older versions of Adobe's Flash contained the vulnerability.

In a on Friday, Dullien speculated that Tuesday's fixes will "patch a bunch of libraries (the ATL ?) in Visual Studio" as well as the ActiveX "msvidctl.dll" file used by IE.

To add fuel to that speculation, of the Washington Post quoted Dullien last week as saying Microsoft had called and asked him not to comment further on the vulnerability.

Neither Dullien or Elser responded to requests for comment on Sunday.