Prevx has since backtracked, though a bit obliquely. In a posting Wednesday, the firm said the problem is still widespread and its free tool to fix the issue had been downloaded more than 50,000 times.

The company denied that it made concrete claims. "As you will see, at no time have we categorically stated that these patches are the cause of the Black Screen problem," it said. "We shared our initial findings around the two patches with Microsoft, conducted further tests, and have confirmed that these specific updates are not the root cause."

Microsoft: Updates Not to Blame

Mike Murray, chief information security officer for Foreground Security, said the entire affair is a non-story. "I am absolutely amazed this became the story it became," he said. "They say the number [of infected machines] is 50,000. I say it's more like 10 percent of that. I hate it when security companies throw out all this hyperbole. I have known large organizations ... that are using Windows 7 in large parts of their [companies], and I have not heard one report from any of my clients on this problem."

Microsoft also called the problem overhyped, if not nonexistent. "Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," said a statement attributed to Christopher Budd, Microsoft's security response communications lead.

"The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports," the statement says. "While we were not contacted by the organization who originally made these reports, we have proactively contacted them with our findings."

The statement also says that Microsoft's support organization doesn't see any issues. "The claims also do not match any known issues that have been documented in the security bulletins or KB articles," it said.

Roger Halbheer, chief security adviser for Microsoft EMEA, was not amused. His post at TechNet Blogs is critical of Prevx and, by implication, the many sites that uncritically carried the initial and inaccurate reports.

Be Careful Who You Listen To

Halbheer concludes users should be careful who they listen to. "[Y]ou should now make your risk assessment and decide which source you want to trust. For me, the ultimate source for information you should build your assessment on is neither Twitter nor your brother's sister-in-law's father's brother (unless he works for Microsoft's security) but our web site."

Murray agrees that Prevx's approach was wrong. "I would hope they would work with the vendors and be a little more responsible in the way they run around talking about this stuff," he said. "I almost laughed when they said that they feel bad about embarrassing Microsoft. They got themselves all over the news by embarrassing Microsoft."