Because trust in the CA system is essential for the web as an application platform? Google wouldn't be happy if people started making native clients with hardcoded public keys because they didn't trust the CA system... (cf. cperciva's tarsnap.)
I can't see all the browser vendors being complicit in what would essentially be a cover-up just to make the internet look good.
And anyway, they didn't cover it up, they just waited for the patch. But they checked it in to the public repos days ago, so they weren't trying to hide it from the attacker, just keep it low profile. That doesn't make sense for this type of vulnerability, unless there is something interesting we don't know about.
My best guess is that we are waiting for audits of the target sites to finish, and I guess addons.mozilla.com is already done.
So the solution to "the CA system is not trustworthy" is "tell the public the CA system is trustworthy"?
Edit: I mean, I can see how it's in the browser's interests to convince people that the system is reliable. And I can see how it's in web companies' interests to convince people that the system is reliable. But trying to convince people that the system is reliable when it is known not to be reliable strikes me as ethically questionable, at best.
I don't think we're disagreeing here, I was just trying to point out what the browser vendors motivations might be. It is also quite possible that law enforcement etc. requested a delay in the announcement to aid what has to be a significant ongoing investigation.
The public wasn't lied to, or even spoken to - some browser makers just slapped a band-aid on a broken system to prevent it from visibly falling apart. People (but not necessarily Mozilla et al. - think cryptographers) should arguably be fixing the system instead, but it's a hard problem and immediate fixes would be needed anyway.
