Yes but the irony of people doing what they're told on a facebook page and buying a song that exhorts "I won't do what you tell me" is delicious.
Well of course you will. The projects on those sites are looking for cheap implementation and damn any sort of quality or maintainability. The register didn't look at those sorts of sites, they looked at recruiting sites instead, the ones businesses use. Using the slime pool that is the "Write me a twitter clone for $100" sites to say LAMP is the most popular in businesses is laughable.
cloud applications can be cashed
That's certainly what google is hoping for.
Actually you'll find that most security flaws are treated like this, in order to give the vendor time to patch. It's part of the whole responsible disclosure credo. As an indication of how seriously MS take this they facilitated the disclosure of Kaminsky's DNS cache poisoning discovery. he was contracting there at the time. MS called all the major vendors, and hosted meetings in Redmond to kick the whole response off. He talked about it at Bluehat on 2008. Heck even Bluehat itself demonstrates something. They had speakers from Adobe and other "rivals" this year, and after about a month they put the session videos up and available to all for free.
Then you haven't been paying much attention. Billy Rios has discovered the GIFAR problem with Java. Of course they're only looking at things that affect their software, in much the same way that Google doesn't go looking for software bugs in Microsoft products.
Why is it so surprising that security researchers employed by a company only look at that company's software, and aren't credited in the security patch reports for just doing their jobs?
Well exactly. In this case Microsoft paid for what they believed was closed source code, it was a third party vendor that broke the GPL, but because Microsoft released the executable, well they're responsible.
Which raises a question - how do you check these things? If the vendor cut and pasted code in, and removed comments that identified its source and the source's licensing agreement how do you spot this? It's not feasible to download every single open source project and start a diff against every single file they contain, so how do you do it?
Yes but considering you can download a free (no cost) versions of MS SQL2005 or a time limited version of SQL2008 how hard would it have been to check? If you don't have anyone on your team who knows SQL then why is the site starting to comment on the SQL you discovered using strings? If you don't know it can you really offer an opinion?
Saying it's vandalised when you didn't even perform the basic checks with someone who knows the MS platform is something you should be beaten up for, it's sensationalist, and now, if you do discover something, how much of your message will get hidden simply because you cried wold at the very beginning?
"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James