The Russian security firm Intevydis has announced that they will be releasing a number of security vulnerabilities that have not yet been fixed by the manufacturers, all of which have already been notified. According to a interview with Krebs on Security, the founder is sick of notifying the vendors with no fixes being released.
The debate around the discovery of security weaknesses focuses on two distinct areas: do you announce to the entire world the weakness you found (and a way to fix it or resolve it), or do you keep it secret and only notify the vendor? The first is called “full disclosure” and is generally only used by individuals; the latter is called “responsible disclosure” and is the normal method for most security firms.
One question often raised is this: are users best served if the problem is kept secret while the vendor fixes it, or when users (and crackers and the public at large) are notified so they can work around it?
Unfortunately, vendors sometimes take several months or years to fix vulnerabilities, during which time the users have no idea they are vulnerable – and one hopes, crackers have yet found the vulnerability.
Underlying all of this is the important idea that system administrators must keep their systems up-to-date on the most recent patches; systems are often hacked through vulnerabilities that are old and have been fixed by the vendor for months or years.