Hi bob3160,
But that is not the attitude of the reseachers that make a full disclosure. They give the software developer 48 hours and then they open up with what they stumbled upon. In the case of the firebug gaping hole, pdp did not wait, and went public with it being aware the developer was away for Easter. You can read it here:
http://www.gnucitizen.org/blog/firebug-goes-evil and my proposed simple protection near the bottom of the blog page. Anyways the firebug extension was immediately updated to a secure version, accolades to the developer there. Well that is why patches come that fast in public code. It works two ways. Those that find up holes and those that close them henceon work together to improve the code. They are waltzing towards security, not dancing constantly on the edge of a cliff..
How in contrast then with the security policy of the makers of the MS close code. These herders of what is mainly "security through obscurity" have other interests seemingly, and try to keep the lid on vulnerabilities (hushing up on the one we discussed here for a couple of months, hoping it would not materialize??). That is why we haven't seen a complete overhaul of this "code built on code" with dinosaur insecure bits in it, dating back from the days of win 3.01. As long as no-one is rattling the skeleton-bones a bit, they are kept hanging there...until they come down eventually. You just cannot trust this code fully apparently. Well no-one can code absolute securely, but then again it is about the attitude...
polonus