A new face of vulnerability patching process

by Anton Chuvakin

Related link: http://www.securitytracker.com/alerts/2004/Nov/1012341.html

I hope more people will pay attention to this, as it looks like a harbinger of ominous things to come. Here is some background on the whole "vulnerability thing" to understand the impact. How things were in 1990s-2002? Somebody discovers a security hole, notifies the software vendor, CERT, etc, then times the release of his advisory with the vendors. Gain for the discoverer? Some publicity and nothing else. "Security community" and amateur attackers both benefit. Fast forward to 2004: less people are willing to do the above for free publicity. Why sent to vendors and bugtraq/CERT - just because some think "its the right thing to do"? Why disclose, if you can profit (which I certainly respect)? Looks like many in security space are used to thinking that "security reseachers" are doing their research for the common good, and they are up for a rude awakening. Just look at the timing in the advisory (http://www.immunitysec.com/downloads/instantanea.pdf) - discovered May 2004, released to public Nov 2004... YOUR server might be owned way before you know it.