Microsoft finalized IE10 at some point before Aug. 1, when it announced Windows 8 was ready for distribution to customers and computer makers.

It's possible, said Andrew Storms, director of security operations at nCircle Security, that Microsoft patched IE10 with information from ZDI, but was still in the testing stage for other versions of the browser. Another alternative is that Microsoft inadvertently fixed the flaw by changing IE10's code for other purposes.

Storms gave each a 50-50 chance of explaining IE10's invulnerability to the zero-day bug.

But there's another plausible reason: One of IE10's new security features blocked exploits, even though the browser remained unpatched.

Florio's vague wording -- that IE10 "is not affected" -- does not explicitly state that the browser has been patched, leaving the third option on the table.