The only model that makes no sense to me is the altruistic model. The vendor wants the researcher to do his code review for free and that doesn't quite fly. They are profiting from the vulnerability information but they don't want to pay for it.

Patching is very urgent. We expect public exploit code to become available, especially for the MSDTC issue.

Patching is very urgent, ... We expect public exploit code to become available, especially for the MSDTC issue.

It seems like there is some flaky code in portions of the libraries that handle the WMF files. It wouldn't surprise me if we see more vulnerabilities emerge, which I am sure will be followed by more media coverage.