Hi FwF,
Some of the vulnerabilities have been longer with us, so MS was sitting on them for quite some time:
http://www.coresecurity.com/content/CORE-2010-0424-windows-smtp-dns-query-id-bugs (2008/2009 flaw code recycled)
What has not been discussed here, and this is also seen to play a lot in theopen source bug discussion, is the impact when we combine two or more bugs/vulnerabilies and then sometimes we can arrive at a very workable dangerous new 0-exploit. Understanable because MS never started with a clean slate, but has been building code layer on code layer in their eternal patching and securing their multitude of lines with maybe as many bugs and holes like the proverbial Swiss cheese product
In defense of our good friend, Dch48, however, we have to admit that exploits that are used in malware are almost 99% borrowed from known failsafe exploit code that malcreants get from hackers and/or security researchers/testers. Exploit kit code launchers do not add new exploit code, they use those of others. That is why I always been doing third party reconnaissance mainly...
pol