In last Tuesday's patches, Microsoft fixed a vulnerability in Office Web Components (MS09-043).

This was good, as the vulnerability is actively being exploited via malicious web pages.

What's surprising about the case is that the vulnerability was reported to Microsoft more than two years ago.



That's a surprisingly long patch cycle, and we've learned to expect better from Microsoft. There's probably more to this story than meets the eye.