Microsoft is having a rough month. In addition to known vulnerabilities, including one discovered this week, Microsoft now faces vulnerabilities in IIS, along with problems found in Windows Vista and Server 2008. Moreover, vulnerabilities discovered in Office 2010 pose another challenge entirely.

Starting with the vulnerabilities in Office 2010, the security firm responsible for discovering them, VUPEN, will gladly share the deals with Microsoft, as long as they are paying customers. For now, VUPEN will only share the vulnerability and mitigation details with paying customers.

“We successfully created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features,” VUPEN said in a company blog post. To date, VUPEN has discovered problems in Excel 2010 and Word 2010.

Statements made to Heise Security by VUPEN CEO Chaouki Bekrar had the executive asking why security service providers should give information away free when it is used to secure paid software. However, the move to withhold information from Microsoft by VUPEN isn’t the only issue that the software giant has to face.

An anonymous group has taken issue with hostility towards researchers, and promises to, “…fully disclose vulnerability information discovered in [their] free time, free from retaliation against us or any inferred employer.”

They made good on this promise by including details for a locally exploitable vulnerability in the Kernel on Windows Vista and Server 2008. While VUPEN lists the risk as low, due to it being local only, this is just the first in what is expected to be many releases of its kind.

The group, using the name Microsoft-Spurned Researcher Collective, a pun on Microsoft’s own MSRC, said they have taken this stance and released the vulnerability details due to open hostility against researchers like Tavis Ormandy.

Ormandy, as many will recall, was blasted by Microsoft for a disclosure centered on a flaw in the Windows Help and Support Center. The media, as well as Redmond themselves, also included Ormandy’s employer Google in the scorn. What followed was an industry-wide debate on disclosure.

Ormandy’s disclosure, Microsoft said, led to criminals picking up on the flaw and attacking it online. In a June 30 post to the Microsoft Malware Protection Center, Microsoft’s Holly Stewart said that 10,000 systems have seen attacks aimed at the Windows Help and Support Center. However, it should be noted, that just because 10,000 systems saw the attack, does not mean that there were 10,000 infections as widely reported.

Other unpatched vulnerabilities include one from VUPEN that centers on a problem in IIS 5.1. If the input validation error in the authentication process on IIS 5.1 is exploited, an attacker can gain access to protected content.

On Tuesday, Microsoft said they were looking into a vulnerability report that originated as a vulnerability disclosure in PowerZip.

“The vulnerability is caused due to a boundary error in the "UpdateFrameTitleForDocument()" function of the CFrameWnd class in mfc42.dll. This can be exploited to cause a stack-based buffer overflow by passing an overly long title string argument to the affected function,” security vendor Secunia said in an advisory.

With the monthly updates coming next week, it is unlikely that any of the recent disclosures will be addressed. Aside from a Twitter post announcing that they are investigating the MFC vulnerability, Microsoft has remained silent on the ones from VUPEN and the one from the M-SRC.