How long have Apple and Myspace known about the worm?

I ask because I just had a very interesting link sent through to me from my good pal, one Mr Burnt Pickle. The link (if genuine) suggests that people who could have done something about this just left things hanging. A personal journal posted the article originally, however I've since been contacted by the author and asked to remove his quotes as he apparently "accidentally published this article and made it public - only friends were supposed to be able to see it".

This kind of cripples the context of this article (which I've had to rejig to make sense out of, considering the entire thing was based on a quote), but basically what this boils down to is this: Apple apparently sent out the patch late, by which point Myspace has already sent out messages saying the patch was available, which is why this happened. Also, it's implied that people have been working to fix this for (at least) a bunch of weeks, but nobody thought to inform the users of Myspace that they were at risk.

Interestingly enough, there's an entry on Tom's Blog about phishing dating back to October 19th - now people Phish Myspace all the time, so it must have been something important for him to bother writing about it. Also, note that he mentions people "posting comments" from stolen accounts. Is he talking about the worm? If so, that's about the lamest "security warning" I've ever seen.

Along with Websense and F-Secure, I was fortunate(!) enough to see this one hit and also see the aftermath - Myspace sending out "your account will be cancelled due to spamming" mails to infected users being a particularly disgraceful example of the way their userbase has been treated.

Someone at either Apple or Myspace needs to take some responsibility for this and explain

1) Exactly when full knowledge of this specific exploit came to light
2) Exactly when they started working to fix this exploit and
3) If one or both companies knew about this weeks ago, and if so, why did nobody notify Myspace users of this specific threat
4) If the blog entry by the Tom guy does indeed refer to the Worm then why the huge veil of secrecy? Were they hoping this issue would just go away? What if the payload had been somewhat more malicious than some garbage Javascript phishing accounts to spam Zango sites?

What then?

/ Update - The author of the original article has written to say that this article was "never intended to be made public, and was for friends only" and requested its removal. If it was such a hotbutton topic, then password protecting it (or even better, not writing it in the first place) would have been a good idea. There was no indication on the original article that it was supposed to be "private", or that the author did not give permission to be quoted. If the article is still live in some form, then presumably anyone with access to the blog can still see it ("Anyone is welcome"). At that point, you need to accept that people may still quote you or pull the thing entirely. However, if the author requests that it was supposed to be private then I'll respect that wish and remove all direct quotes.