Microsoft knew about an ActiveX control flaw that has now left Internet Explorer users vulnerable to attack, since last spring.
Mike Reavey, director of the Microsoft Security Response Centre, said in its blog that it received a report from the IBM ISS X-Force last year.
In an investigation it was confirmed that the ActiveX control shipping with Windows had an exploitable vulnerability.
The company didn't issue an advisory until this week, when reports first surfaced that hackers were taking advantage of the vulnerability to target Internet Explorer users.
Engineering teams believed that the best approach was to completely remove the ActiveX control from Internet Explorer, but it took some time for Microsoft to properly evaluate what this could do.
Reavey said that when disabling or removing functionality, Microsoft had to engage in more research and testing than usual. This ensured that it could take the step and not cause more harm than good by inadvertently breaking' applications.
He said: "For something like this, we have to ensure not only our applications but also major third-party applications are not hurt by this.
"Otherwise, if out update breaks' a major application, customers won't deploy the update but the bad guys will have information about the vulnerability they can use to attack it," Reavey added.
The Microsoft statement came as it revealed that at next week's Patch Tuesday it would release a total of six security bulletins with three critical updates for Windows.
The ActiveX flaw will be fixed, as well as an earlier vulnerability that affected Microsoft DirectX.
