How do they know?

Microsoft are pretty cool, they know that “We have never had vulnerabilities exploited before the patch was known.” I find that a little hard to believe.