Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.

All three of the bugs were reported by the Zero Day Initiative (ZDI), a bug bounty program run by TippingPoint Technologies, a security development and research arm of 3Com. The trio were among the four vulnerabilities Microsoft patched Tuesday in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).

One of the TippingPoint vulnerabilities, found in the ActiveX control used by IE to display Excel spreadsheets, has been exploited by hackers for more than a month to launch "drive-by" attacks from malicious or hijacked sites.

In several ZDI advisories posted yesterday, TippingPoint said it had reported two of the vulnerabilities to Microsoft in March, 2007, while the third was reported in December 2007.

"In general, Microsoft is one of the better vendors we work with in fixing vulnerabilities in a timely manner," said Cody Pierce, a TippingPoint security researcher, today. "But it's hard to say whether this timeline is warranted."

Full story: Computerworld