SleepyEgg

When Microsoft released the highly-publicized patch for Internet Explorer yesterday, the software giant admitted that it was aware of the flaw for quite some time. "As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September," Redmond disclosed on the Microsoft Security Response Center. Does this mean that Microsoft could have prevented the Chinese attacks on the 33 companies by releasing patches for Internet Explorer sooner, or at the very least, that the browser would not have been one of the vectors used? Not exactly, we learned after contacting three different security experts.

"When the vulnerability was disclosed to Microsoft in last December, there wasn't any known exploit in the wild," Chenxi Wang, Principal Analyst of Security and Risk Management at Forrester Research, told Ars. "Hence Microsoft scheduled to release the patch in February, which was the next available security bulletin date. But this attack came up before they released the update. That's why they issued the out of band fix. To be fair, Microsoft sees a lot of vulnerabilities, and you don't know which one actually would result in an attack." 

In short, Microsoft did what it always does: work on a fix, but don't tell the public until it is absolutely necessary to warn them, and then release it as soon as possible.