One must wonder for how long large software companies are aware of certain issues with their wares before they actually release security fixes for them. It seems as though more than once have we seen Microsoft [but they are not the only ones, I suspect Apple has done the same and probably ISVs too] rolling out patches which they have subsequently admitted were for issues known in-house for some time. But, without an incentive from the marketplace [i.e. the exploit is now in the wild and everybody's running it] these companies seem unwilling to dedicate resources to the Q&A needed for testing their fixes. They just wait until the public finds out about them to start the process.
Back when people would write viruses/worms/exploits for fun, this would be OK. After all, a screen full of bunnies would be annoying but not as bad as having your hard drive kept for a ransom. Yet with the proliferation of a black market for security exploits, software companies should really be more careful about what they don’t disclose to the public. Something that they might be aware of in-house could be sold for large sums of money; in turn, high-profile corporations take a hit from something that can be considered a ‘known lab exploit’. Ideally, the affected corporations would move their systems from the platform/software that has caused this issue. But everybody’s happier spending large quantities of money to pay for firewalls and training in security rather than put pressure on their providers.
In the old days - “writing viruses for fun” days - there was a challenge in messing with the operating system for ‘academic’ purposes and not for profit. Maybe this method of dealing with software flaws was fine then. Most companies still do not understand that, beyond ‘bad rep’, they will lose customers. Just look at how many switchers we have now [from Windows to Mac OS X] to get a bearing on what happens once consumers get fed up with some company’s inadequacies. Some part of me is hoping that more and more security problems arise, hitting all major operating systems. At that point we might be able to really differentiate who is superior to whom from a technological standpoint. In the interim, we must await “patch Tuesdays” and various security conferences with financial prizes to find out what’s broken and where.
