12th November 2002: the day "responsible disclosure" went down the drain.
Why would a theoretically well-respected company, producer of the currently best selling IDS, publish a security advisory 24hrs before the agreed date? Surely by mistake, just like it might just be a coincidence should the same company just happen to have a signature ready for this vulnerability for its scanner but no patch to offer...
Facts rather than conspiracy theory: the ISS X-Force released an adivisory on BIND on 12th November 2002 affecting both BIND4 and BIND8. So far so good. Problemette: no patch was available at the ISC until 3pm GMT on 14th November because that was apparently the agreed date (and the date on which CERT advisory CA-2002-31 was released).
Now, I don't know what went through the minds of those responsible but I had both BIND4 and BIND8 servers susceptible to remote root compromise according to the X-Force advisory for over 24hrs (or more, who knows, it might have leaked earlier) and I definitely was not pleased.
Does releasing something with that potential lethality knowing full well that a patch is not publicly available make you "133t"?
Where's the apology? What grounds have we now to try and convince people to give vendors a chance and release security vulnerabilities responsibly? How about "none".
In the meantime, if you still haven't patched do yourself a favour, visit the ISC and grab the latest patches.
Posted by arrigo at November 21, 2002 10:00 AM