I really don't know how to take Microsoft's response(s) to the recent .WMF vulnerability flap. I'm soliciting comments from everyone on this.
While Microsoft readily acknowledged the existence of the vulnerability, they steadfastly clung to the position that user interaction was necessary to exploit them long after it was known that is not true.
Today, 3 January, they announced they have a patch completed, but will not release it until 10 January, which is their regularly scheduled "patch day". While I realize that they have to test any patch thoroughly, it seems to me they should be expediting this at any and all costs and release it sooner, if humanly possible.
After all; millions upon millions of PCs are at risk, here. The distribution of the exploits related to this vulnerability are widely spread. It's not just dodgy web sites. They're arriving in emails and have been slipped onto more reputable sites that have been compromised. In my opinion, Microsoft simply cannot continue to treat this casually and act as if users will be at fault because of their surfing habits.
What do you think?