reuters[.]com/article/us-microsoft-cyber-idUSKBN17S32G
The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft's regular monthly security update.But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time...
And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.
The problem in this case was particularly serious -- unlike most malicious email, you didn't have to turn on macros with a Word doc, or run some app, or unzip a file -- you just had to open the doc. Worse, the core vulnerability had been there for a decade or more. The Reuters article traced the exploit back 9 months, but it could easily have been in use for years, e.g. by some government intelligence service, and just wasn't caught, or if it was noticed, wasn't reported.