One of the purchasers of the code was a criminal ad-ware/spyware business, and it looks like this was how the exploit became public.
It claims that the flaw which was only patched by Microsoft in early January was probably first discovered at the start of December, and by a virus writer rather than a security researcher.More info at PC Pro. This vulnerability has been patched by Microsoft on January 6th.
If true, this challenges the disclosure argument. Those that made the information on the flaw and exploit code public were slammed by Microsoft and the security community at the time. But if that information had been kept strictly within hacking circles, Microsoft may not have even heard of the problem while its customers were being infected with viruses.