Should security experts alert us to exploits?

Recently David Lychfield posted that the recent slammer worm that affected MS SQL servers was his code. He posted the code to show the exploit. He now wonders if this was a good idea, because someone used this knowledge to create Slammer. “What if someone died because of this?” was a question raised.

Sure, posting exploits could cause problems, however, what if the exploit had not been posted? Well then MS might not have created a patch. Then when someone *did* find the hole, instead of having an 8 month old solution (and well tested), we might be at ground zero, waiting *weeks* for MS to fix the problem.

In this scenario, maybe many people would have died before the patch was available. I think it is wrong to live in fear, a philosophy for life in general. Let’s post the problems, make the suppliers fix the problems, then the onus is on the user to keep their systems up to date.

1 comment

  1. True. But I don’t believe it’s just on the admins to “keep their system up to date”. I heard several comments about this on Your Mac Life, the same episode where GeeksRUs was named twice. It stated many of the admins did NOT patch because it broke other stuff of theirs. Even MS didn’t patch. So, how can you ask an admin to run an installer, when it’s going to cause MORE problems. That’ the last thing you want.

    But then again, remember, these are MS installers we’re talking about “Install SP1, then the patch, then install SP2, then reinstall just this part of SP1, then install the second patch. Then reinstall the full SP1, then run SP2. Download the critical update for SP2, install that, run the other patch, then reinstall SP1 and stop it half way, so that it doesn’t over write the last patch. Finally, go to our website and give us feedback, and when that doesn’t work, download SP3.”

Comments are closed.