Turns out, Microsoft knew about the vulnerability since September.
Microsoft security program manager Jerry Bryant wrote in a blog posting this week:
When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan 11, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.(Emphasis mine.)
So this critical security issue was reported to Microsoft 4 months ago, but sat on it. Microsoft says they originally intended to release the fix in February, and only moved it up because of the attack on Google. Giving Microsoft the benefit of the doubt on that one, that means the bug would have sat exposed, unaddressed for 5 months, waiting for an attacker to use it. Which they eventually did.
To compare, Free / open source software has bugs too. Sure, some open source projects may have certain bugs sitting in them for months before someone gets around to them. To be fair, though, critical bugs (like security) get fixed pretty damn fast in F/OSS.
I think I found another reason to recommend Linux.