Google employee Michael Zalewski disclosed a CSS security issue in Internet Explorer today before Microsoft had issued a fix. This is the second time a Google employee has disclosed an IE security flaw to the public before a patch had been issued. Chris Evans posted a cross-site scripting issue to Seclists in September, according to Ars Technica.
The new flaw may also have been reported by two Chinese researchers at a security conference in South Korea according to KrebsonSecurity. Microsoft does not know of any exploits in the wild actually taking advantage of this vulnerability.
Should Google have disclosed these bugs to the public, or waited for Microsoft to issue a fix first?