Romang also noticed the ZDI attribution in MS12-063.

"So, [to be] clear, this mean[s] that this vulnerability was discovered by another researcher, previous [to] my discovery, reported to ZDI, [which] then reported it to Microsoft," said Romang in a to his personal blog.

HP TippingPoint runs its ZDI bug-bounty program to create protection signatures for its HP Digital Vaccine customers, who use them in their IPS (intrusion prevention system) hardware.

Another clue to an early warning of the IE vulnerability comes from IE10, the version bundled with Windows 8, the OS upgrade already deployed by some users but set to reach retail Oct. 26.

Last week, Microsoft repeatedly said that IE10 was not vulnerable, with Elia Florio of the MSRC engineering group asserting on Thursday that, "Internet Explorer 10 is not affected."