I agree that if it were just about the impact to themselves this would be "unconscionable", but I think that in practice the effect on users will also be very limited unless this vulnerability has already been known and exploited in the wild, or unless they take weeks more to patch OSX. Remember it requires a MITM attack to exploit it - not just a compromised host.

There is definitely a gamble they are taking, and definitely process improvements they should make (e.g. mandatory static analysis of shipping code). I just think think this is more about poor performance than poor morals.

[noting again that if this was discovered because it's in the wild, then it's all about performance]

The iOS patch was released on Friday, so it was publicly known then at the latest. It's not particularly hard to exploit, so it seems entirely reasonable to think that people were exploiting it soon after.

How many Macs connected to Starbucks WiFi this weekend and had their e-mail and banking credentials lifted? If my hat were darker, I'd have been out there doing it for fun if nothing else.

The fact that it requires a MITM means you're fairly safe on a home connection, but there are lots of people out there on public WiFi who would be pretty vulnerable to this.

I really don't understand what the "gamble" is. What's the upside to waiting?

I think your example of a Starbucks is a good one, and I'd be curious to know. The attacker has to go and physically sit in or near the Starbucks to do it, which is a strong limitation. They also have to have to have something worthwhile to do with what they steal. So that limits it to criminals with the knowledge to exploit this MITM attack who are willing to sit outside a Starbucks for long enough to harvest a worthwhile set of credentials.

I doubt that many credentials were stolen this way.

But some were, right?

Again, what's the upside to waiting? It looks like zero to me. Minor convenience for Apple at best. Placing their own convenience over the security of their customers is bad.