I think the important thing to note here is it is less about “How long without a patch” and more about “It is being actively exploited by malicious actors”.
ie. Keeping it secret is then only about making Microsoft look pretty and certainly doesn’t protect anyone.
That doesn’t seem to be related to the current disclosure, but the disclosure that occurred in October of last year. Based on just the wording of this article, it seems like this specific bug may not have been actively exploited.
EDIT: I reread the article a bit and I think my confusion was that security researchers had already released a POC exploit for this bug, making it possible that others are actively exploiting it. However, the previous bug in October was explicitly claimed to have been actively exploited.
I think the important thing to note here is it is less about “How long without a patch” and more about “It is being actively exploited by malicious actors”.
ie. Keeping it secret is then only about making Microsoft look pretty and certainly doesn’t protect anyone.
That doesn’t seem to be related to the current disclosure, but the disclosure that occurred in October of last year. Based on just the wording of this article, it seems like this specific bug may not have been actively exploited.
EDIT: I reread the article a bit and I think my confusion was that security researchers had already released a POC exploit for this bug, making it possible that others are actively exploiting it. However, the previous bug in October was explicitly claimed to have been actively exploited.
This article is a bit fuzzy on that, and ahhh… googling around I found other articles that suggested this rule applied in this case as well.
It would be nice if a bit more precision was available.