As Microsoft continued to investigate three recently reported vulnerabilities in multiple versions of its Windows operating system Tuesday, it delivered a message to security groups anxious to publicly report bad news: It does more harm than good.

Less than a week after Chinese security group Xfocus publicly released proof-of-concept code, claiming that among other high-risk vulnerabilities there were flaws in the Windows LoadImage API function, Microsoft was urging security groups to follow practiced industry standards for reporting potential breaches.

A spokeswoman for the company said Microsoft was disappointed that Xfocus released the information before sharing it with the company and security vendors. She also said the actions put computer users at risk.

"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the fix is being developed," she said.

Xfocus also reported that the Windows help file parsing program was vulnerable to malicious attacks on systems patched with the second service pack for Windows XP. The group also pointed to a bug in Windows' animated cursor files.

These vulnerabilities are believed to affect Windows NT, Windows 2000 SP0, SP1, SP2, SP3, SP4, Windows XP SP0, XP SP1 and Windows 2003.

Microsoft acknowledged the vulnerabilities but claimed it was not aware of any active malicious attacks and said there had been no immediate customer impact.

As reported earlier on, several security vendors, including Symantec and Secunia, had confirmed Xfocus' warning on Tuesday, and noted that the most serious of the three flaws was found in the Windows LoadImage API function. That vulnerability allows malicious attackers to write and send custom files within an HTML page or in an e-mail that would allow them to run arbitrary code on a computer.

The company said it plans to take whatever appropriate action is necessary to resolve any security issues.

"Upon completion of [our] investigation, Microsoft will take the appropriate actions to protect customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the Microsoft spokeswoman said.