Why leak it when you can beta it?

Early yesterday, news swirled around the "inadvertent" leak Microsoft's pre-release WMF patch which happened to have all the official Microsoft digital signatures and packaged trimmings.  But I'm not complaining here and I think Microsoft should "leak" some more of these patches in the future if there is another zero-day exploit on the prowl and they should "leak" it as soon as possible.

The argument against releasing patches out of cycle is that it disrupts the corporate enterprise patch cycle and is too much to manage.  Releasing a patch out of cycle may expose more enterprises to danger because enterprises will typically wait until their normal patch day while the hackers get a head start on reverse engineering the exploit.  While this may often be the case, it's absolutely irrelevant with this recent WMF Vulnerability because the publicized exploit and the weapons-grade proof-of-concept code was already being used to hijack unsuspecting users coming across websites with malicious images.  While there is no doubt in my mind that the disclosure of the proof-of-concept code is irresponsible, the reality that we have exploits on the loose to deal with.

Since Microsoft can't officially release a patch without putting it through extensive tests, the best way to deal with this situation is to simply release the pre-release patch as beta code.  If people want to beta test it and it happens to break something, then it is understood that the patch is beta.  Corporations and individual users don't have to deploy it and they can wait for the official fully tested patch.  Had Microsoft done this, there wouldn't have been a need for independent 3rd party patches and people would have access to a less than thoroughly tested patch that was at least from the official vendor.