@Grease Monkey
"Of course received wisdom is that you should use the routine that exists in the OS rather than reinventing the wheel and writing yout own code. So conventional programming wisdom would have it that Google and Apple have done the right thing and Mozilla the wrong thing."
Up to a point. It is true that received wisdom is VERY unkind towards those who invent their own cryptographic wheels. However, Mozilla have a defence in being cross-platform. They can either use the facilities provided by each OS, or they can pick one implementation and bake that into their own code on all platforms. There are pros and cons on either side.
"As has been pointed out MS have lots more testing to do, but still not months worth. So the fact that MS haven't patched the vulnerability yet is inecusable."
They should not be doing *lots* of testing. As was pointed out at the time of the original disclosure, the spec actually says "counted string" and not "nul terminated string", so MS only need to test that their new code does that. They don't need to test for any wider fall-out, because conforming clients will not be affected by the fix and (as noted in a comment above) non-conforming clients *should* break loudly rather than quietly.