Microsoft knew of critical IE flaw used in Google attack 5 months ago

Is it March? Not getting how September was 6 months ago. I'm also not getting how the February date of the patch release is 6 months from September either.

Since we are all busy being editors today:
'update this February -- a full six months after it was discovered'

A full six months would require the update to be no earlier than March 1, assuming the discovery was made on September 1, since the exact date in September the vulnerability was known is not listed in the article.

At the risk of sounding like a Microsoft apologist, they're far from the only company to let security flaws go unpatched for too long. (I have a hazy memory of something involving Apple and...was it the Java runtime?) With finite developers and working hours, you have to prioritize which holes to patch up first, and that includes trying to guess which ones are most likely to be actually found and exploited first. Thing is, Internet Explorer is probably so crammed with holes like the one in question (and others both lesser and greater) that it was honestly just one they were going to get around to, not knowing that someone was going to use it before they got the chance. (In other words, it's not like they were planning on sitting with their thumbs up their butts until February and THEN suddenly start writing patches.)

I can tell by downloadsquad.com posts that you guys do not like Microsoft.

"When the vulnerability was disclosed to Microsoft in last December, there wasn't any known exploit in the wild," Chenxi Wang, Principal Analyst of Security and Risk Management at Forrester Research, told Ars. "Hence Microsoft scheduled to release the patch in February, which was the next available security bulletin date. But this attack came up before they released the update. That's why they issued the out of band fix. To be fair, Microsoft sees a lot of vulnerabilities, and you don't know which one actually would result in an attack."

In short, Microsoft did what it always does: work on a fix, but don't tell the public until it is absolutely necessary to warn them, and then release it as soon as possible.

I remember a while back Apple had a major flaw in iPhone that they knew about for months but didn't patch it even after it was found out and brought up on many tech sites. It took them 5 weeks to patch it. It's easy to bash MS but let's all remember, without MS we wouldn't have Windows 7, best OS out there. And yea, I own a MacBook Pro and an HP notebook. So this is coming from experience. Point is, MS didn't sit on their asses twiddling their thumbs for five weeks to patch it. If I am right it took them barely 10 days. I think they went above and beyond to get this fixed in releasing it as an out-of-band patch. Even though it was in efforts to protect their market share but still...

FF >>>>> IE > Opera > Chrome

They also confirmed in the last week that there is a security hole in Windows that was first reported almost 17 years ago. 5 months doesn't seem too bad.

I thought this only affected IE6???? If so, Microsoft did release a "patch", they released IE 7 and 8. How is this not a fix? Those that bothered not to update their IE6 should not get mad at Microsoft. It is not like they charged for IE 7 or 8.