No, but it could have been without them knowing it. Just because an exploit hasn't been found and publicized by a security firm, doesn't mean black hats couldn't have found the bug and been using it without it being widely known.
So should we expect vendors to immediately fix all vulnerabilities and release the fixes immediately?
That creates a near-constant stream of updates which is difficult for users & sysadmins to manage, and is why Microsoft and others have a "Patch Tuesday".
(I know that Oracle didn't do that here, but that's what the GP post was talking about)
I don't think immediate fixes are reasonable, but expecting a <3mo rollout for critical vulnerabilities (such as this one) isn't unreasonable at all. If they plan to fix this in October, that's 6 months; regardless of a 0-day being out or not, that's pretty abysmal. Of course, Oracle is not the only company that does this, but that doesn't make it okay.
Usually (and hopefully) the exploit isn't public yet. But as soon as the patch is released the bad guys can figure out what the exploit is and start attacking unpatched machines.
If the sysadmins know when the patches are coming out then they can schedule downtime in advance and get things patched very soon after they're released.
Interesting, I was under the impression that most of the time the exploit was known before the patch release. But of course the patch gives away everything. Live an' learn.
