But sometimes researchers, frustrated by the slow pace of a software maker's investigation, go public with details about the vulnerability while it is still unresolved. Some experts consider this tactic a necessary evil to force recalcitrant companies to issue a fix; others decry it as an unethical breach of industry practices.

People who advocate going public argue that if a researcher knows about the flaw, criminals might, too--and smart criminals will keep their attacks small and targeted so as to avoid the maker's attention, and a fix. Unfortunately, all too often, public disclosures of a vulnerability prompt public zero-day attacks.

Another controversial practice is bounty hunting. Some organizations, including iDefense and 3Com's Zero Day Initiative, pay researchers to report zero-day exploits to them. iDefense, for example, offers an US$8000 bounty for information about vulnerabilities in IE 7 and Vista. The security companies then communicate their discoveries confidentially to the software companies. While not universally admired, these programs do put cash in researchers' pockets--an outcome that many prefer to a simple public pat on the back from software vendors.

Perhaps more important, security company bounties compete with the growing black market for zero-day exploits. The Vista vulnerability seller that Trend Micro's Genes observed in a chat room may or may not have found a buyer at the US$50,000 asking price, but reports from eWeek.com and security companies say that the Windows Metafile attacks began immediately after a sale of relevant bug details for the tidy sum of US$4000.

To find marketable flaws, researchers and criminals use automated tools called fuzzers to locate places where a program accepts input, and then systematically feed them bizarre combinations of data. Frequently this testing turns up an exploitable flaw called a buffer overflow.

Software companies, including Microsoft, commonly use the tools to find flaws in their own products proactively. But so do the crooks: BlackHat organizer Moss and many other experts say that Eastern European organized criminals, disciplined groups of Chinese hackers, and other miscreants use fuzzers to find valuable zero-day exploits. The discoverers can use the exploit to attack on their own or, as in the case of the WMF exploit, can sell it on the black market.

When a software maker can patch a security flaw before any attacks occur, both company IT staff and home users have time to update their software and stay ahead of the curve. But as soon as a zero-day attack commences, the clock is ticking--and sometimes it ticks for a while before the needed patch arrives.

During the first half of 2006, according to Symantec's September 2006 Internet Threat Security Report, Microsoft tied Red Hat Linux for the fastest patch development time for commercial operating systems: an average time of 13 days.