Re: Run linux they said...
Oh please. Ever hear of Hex-Rays and similar tools? Any person or team with the level of skill needed to pull this off could just as easily change a small bit of assembler in some commercial binary and try to poison the well, in fact it would probably be easier since white hats in general aren't decompiling gigabytes of commercial binaries on a regular basis.
The only thing that would stop this type of attack is the same thing that would stop the open source attack, namely checking what you are deploying (what the Microsoft engineer apparently did), signing what you chose to trust, and having the system check that signature. Open source *in general* has a lower time to detect the vulnerability, has similar overall attack surface to this sort of thing, but far more importantly gives the end user much more control over other types of malware such as forced data slurpage or sudden removal of key features that are being relied on.
Say it with me folks: Security by Obscurity is NOT security! Hiding source code and only shipping binary components is Security by Obscurity *by definition*!