This is the 10,000 eyes of open source catching the mistake. It happens in public because there is very little "private". Working As Designed.

How often do you see a forensic analysis of this type on commercial software? Not zero, but less often.

I'm gonna go with, "every time Microsoft releases a security patch of any severity in any product whatsoever".

Hey, absolutely. I'm just saying that it's much harder and thus much more rare.

(I have to admit it's sort of more impressive when someone whips out a debugger rather than reading through source.)

Well, catching it after a long beta and then three rounds of release candidates. Indeed, it was apparently caught by an end user, and not those 10K eyes of developers at all.

And that's the beauty of FLOSS. An end-user caught a problem that will, hopefully, be corrected in a couple days.

Were it a problem within IE (or Oracle applications - let's be fair as this is not a Microsoft-only problem) we would have to wait until a developer reads the report, the bug being assigned and the correction being put in a future bug-fix release.

In a way, a guy from Microsoft just made a huge point on how open-source is far superior to their own closed development cycle.

I'm not sure what you're expecting or what you're disappointed about. It's not like closed source commercial software have any better track records.

If we only measure ourselves (and our work) by the next best person, then only thing we can become is slightly better than them.