Where to start, where to start...

Your post is short-sighted. First, there quite obviously are several people working for product vendors who care very deeply about the security of their products.

Second, publishing an exploit, particularly as you say, "easy to use code", is going to result in a worm (past behaviour shows this). Are you sure that you want to release a worm against your own equipment, given that your vendor is apparently lax in responding to security vulnerability reports? Oh, and don't forget the other users that'll be screwed by your exploit as well.

Third, I don't know what equipment you have crashing, so this may be way off, but have you considered that a shutdown is potentially a correct response for these units in the face of an apparent intrusion? Sure, a route to denial-of-service, but that's often better than having to deal with a machine that isn't yours any more.

Fourth, I don't know if you're a developer or not, but if you are, you'll be aware that every time you fix a bug, you do so using exactly the same process that put the bug in there in the first place - programming. So, you have to make sure that your bug fix doesn't cause more problems than it solves. It takes time to test to that level of assurance.

I understand that the only true way to verify the usefulness of a security patch is to throw a sample exploit at it. Otherwise you have to trust the word of the vendor, and the word of the original discoverer of the vulnerability. Maybe that should be enough.

If you don't trust your vendors to have your interests at least slightly at heart, you may be using the wrong vendors. Switch to someone that you feel you can trust.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7511/24003#24003