A two-year flaw was fixed on Tuesday. It was just fixed due to hackers who began to exploit it in recent weeks.
The flaw is exploited through malicious web pages. It was discovered by a researcher named Peter Vreugdenhil. He reported the flaw to Microsoft in March 2007.
ZDI manager Pedram Amini said “they [Microsoft] kept finding the need for more time to ensure the issue was completely addressed” about the long delay.
Some security vendors such as F-Secure remain puzzled why the company has not released a patch sooner.
Source: The Register