The flaw was disclosed to Sophos about a month ago by a French researcher. A patch was made available on April 28 and customers who have subscribed to Sophos' automatic update service would have automatically received it, O'Brien said.

Sophos did not publicly disclose the vulnerability until Monday, and did so then only because the French firm that first discovered it was planning to go public with the information, according to O'Brien.