"Full Disclosure" and the vendor.
Many of my MVP friends have been posting about the sheer irresponsibility of recent disclosures of IE bugs.
This is one of those things where you have to admire the religious zeal of the 'full disclosure' advocates.
"The fact that we know about a vulnerability means that the bad guys probably already know about it." they cry. "So, we're going to publicly release full details of it, to guarantee that they do." [I'm paraphrasing here, this is not a direct quote from anyone]
And while they're at it, of course, they spend no time whatsoever bothering to tell the developers of the original code, so that they might offer workarounds, detection hints, or, heaven forfend, an actual fix.
So, developers have to subscribe to Butgraq, Full-Disclosure, NeoHapsis, FrSirt, Secunia, and a dozen other mailing lists, and delete mail about thousands of other products, on the off-chance that today might be the day that their own product is mentioned.
[And then, about 80% of the time, the developer has to point out that the "strong likelihood of remote execution" described in the original post is more akin to "we couldn't figure out how to make it do remote execution, but if we said that, we'd sound like idiots, and our bug report would just be a bug report, not a s00per-d00per vulnerability exploit".]
Maybe the IE flaw is exploitable... maybe it isn't. But given a road-map on how to trigger the flaw, those who would like to see an exploit (the spammers, the criminals, the virus writers...) are likely to find it before Microsoft has a chance to define the flaw, design a fix, code the fix, test the fix, review the fix, put it out for beta test to ensure that it doesn't kill common LOB ("Line of Business") apps, build a patch vehicle for the fix, test the patch vehicle, write up the announcement, get it approved by communications and legal, and then eventually distribute the patch.
Then, after Microsoft has done all that, we, the users, get to spend a day or two analysing the fix, testing it against our own applications for compatibility, roll it out to a small number of users for further testing, analyse the results of those tests (and rule out those people whose machines were going to die anyway the next time they rebooted, but blamed it on the patch instead), and then roll it out to all of our users.
Full public disclosure without vendor notification had its day - and maybe it still has a purpose, but only when vendors steadfastly refuse to communicate about security flaws, which is a rarity for vendors today. If you are going to disclose a weakness to the world, for the world to attack, you have a social duty to initially give the world a chance - and some time - to address the weakness. The first point of fix is the supplier of the product with the weakness in, and this is where you should take your vulnerability report first.