New
#1
The issue of "disclosure" is a pet peeve of mine. In my opinion, it is irresponsible for any researcher to publicly disclose the details of a vulnerability, particularly one that is not in the wild. Regardless of whether the process is called "Responsible Disclosure" or "Coordinated Vulnerability Disclosure" or whether "in the wild" or not, those who expect immediate response when a vulnerability is reported need to keep some things in mind.
The most important aspect of making a software change is to make one change at a time and "test, test, and test again" after each change. Even after stringent tests are conducted, to ensure the change does not "break" something else, it is necessary to translate the changes to the many supported languages -- and test yet again. I would much rather wait the extra time for the testing to be properly conducted than get buggy updates!
The quote below the MMPC blog, Protection for New Malware Families Using .LNK Vulnerability, illustrates precisely why it is my opinion that it is irresponsible by researchers to release proof-of-concept details to the public:
Additional References:What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it.
- MSRC Blog: Announcing Coordinated Vulnerability Disclosure
- MSRC Ecosystem Strategy Team: Coordinated Vulnerability Disclosure: Bringing Balance to the Force
Quote