Of course it is irresponsible for ISS to post this patch, especially due to the dearth of good system adminstrators who might be able to find a way to take a look at the patch attached to the advisory adapt it and then possibly use that adaption to 'survive' until Apache was able to fix this problem.

As someone else has said disclosure versus sticking ones head in the sand (ala Microsoft) is a dead horse and there are many grey to black areas in between both sides. These discussions are becoming almost religious in the nature and strength of the zealots on each side.

Personally I prefer to be able to defend the companies I am currently employed by. To do this I need to know that there is an issue, and not wait until some company who wants to CYA themselves decide to inform us 6 months after every script kiddie in the world had their way with the servers I am supposed to be protecting. That's just my opinion and I am typically secure enough in what I do that I feel comfortable in reading about a vulnerability (even without a current patch being available) and attempting to use the skills and assets at my disposal to attempt tominimize (mitigate for those CISSP's and BCP certified people out there) any risks that may be encountered. Yes there aer instances where mitigation is not an option, and that this knowledge can become a time-bomb. No one with any logical look at this industry over the past 5+ years can say with any certainty that sticking ones head in the sand and praying that the only intelligent people in the world are working for the large corporations is any bigger of a timebomb.

The problem is not in releasing this information, but in the over-medialization (new word I know) of the erlease of the information. Instead of keeping the information in the hands of Security Professionals (and yes I'm 100% certain that script kiddies and professional crackers read BugTraq and all the other lists) that can do something about it, the media lets all the chicken little's of the world run around and scream the sky is falling. Of course this is just my opinion and may not amount to much.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/91/13343#13343