One point of confusion with the scanning engine bug is how it's patched. In Vista, for instance, it would never appear in the Windows Update window. Although Windows Defender relies on Vista's own update mechanisms to retrieve new signature files and security updates such as the MS07-010 patch, it does that behind the scenes. Windows OneCare, on the other hand, has its own internal update feature that circumvents Windows Update. Forefront and Antigen, meanwhile, use the Forefront Server security update service.

"By default, all have auto update turned on," said Griesi. "Enterprises can set [Forefront and Antigen] to not auto update, of course, but users should see an update on whatever cycle the software's set to." While Microsoft throttles down updates -- a process that means it may take several days for all users to receive critical updates -- Griesi said that the scanning engine fix has probably already been downloaded and installed on most affected users' machines.

Some security researchers took the Vista's-not-flawed side of the argument. "Technically, it's not a Vista vulnerability," said Amol Sarwate, manager of Qualys Inc.'s vulnerability lab. "But nothing is impervious. We're not seeing [a vulnerability in Vista] at this point, but we anticipate that there will be one."

Other experts were critical of Microsoft for letting the scanning engine slip through the cracks. "This is exactly the kind of thing that you would have expected Microsoft to catch," Minoo Hamilton, a senior security researcher at patch management vendor nCircle Network Security Inc., said Tuesday.

In fact, Alex Wheeler, one of the researchers with IBM's Internet Security Systems X-Force group credited with discovering the scanning engine bug, is noted for digging up vulnerabilities in antivirus and other security software. Among the vendors whose products Wheeler has pinned with bugs are Kaspersky Lab, McAfee Inc., Sophos PLC and Symantec Corp.