Spilling the beans: how an AV vendor blog post led to exploit code

David Heath
Friday, 12 March 2010 15:21

Business IT - Security

When AV vendors announce details of a new vulnerability, they are suitably vague so as to avoid giving the naughty lads an opportunity to exploit the problem.  This time, one of them went too far.

In the past few days, news of a serious vulnerability in Internet Explorer has been circulating.  It has been referred to as a "zero-day exploit" to indicate that remediation is not yet available (although all AV vendors have either issued, or are about to issue, detection signatures).

As is typical with such vulnerability announcements, the leading AV vendors are falling over themselves to blog about the issue in terms that make it clear they understand the problem, but not in so much detail that an exploit may be developed.

Unfortunately, this time McAfee seems to have gone a little too far.

According to reports the information provided in a McAfee blog post enabled an Israeli security researcher to develop exploit code to take advantage of the problem.

Worst, the researcher claims to have fully identified the attack vector in just 10 minutes based on the information provided.

There is an on-going debate about just how much disclosure there should be about unpatched exploits.  Some argue that disclosure should be a private conversation between the discoverer and the vendor until a patch is available.  Others contend that such an arrangement puts no pressure on the vendor to patch the hole with any haste - there's nothing like the unexpected gaze of the public to cause loins to be girded.