C’est ce qu’on appele le full disclosure.
Certains vendeurs se sont réfugiés derriere des excuses du type “ah ca, c’est pas exploitable donc low priority, on corrigera dans 1 mois”. Jusqu’a ce qu’une personne sorte un script et qu’il le rende public.
Pendant que probablement une dizaines d’autres versions privées circulaient…
Si il n’est pas sur tuxplanet alors il sera sur irc de toutes façons.
Regarde ca:
[quote]http://www.securiteam.com/unixfocus/5VP010URFU.html
Disclosure Timeline:
2009-04-28:
Core Security Technologies notifies the Apple Product Security Team of the vulnerability and announces its initial plan to publish the advisory on May 20th, 2009. Technical details and Proof of Concept (PoC) are sent to Apple Security Team.
2009-04-28:
The vendor acknowledges reception of the technical report and PoC.
2009-05-11:
Core reminds Apple Security Team its initial plan to publish the advisory on May 20th, and asks the confirmation that patches will be released by then.
2009-05-12:
Core notifies Apple Security Team that this is a multi-vendor issue (affecting, for example, multiple Linux distributions), and asks if the patch process of the CUPS vulnerability will be coordinated using the vendor-sec mailing list.
2009-05-12:
Apple Product Security Team notifies Core they will contact vendor-sec about this issue very soon and proposes to reschedule the advisory publication date to June 2nd. The vendor also notifies the issue was addressed in Mac OS X 10.5.7 by updating CUPS to version 1.3.10.
2009-05-13:
Apple Product Security Team notifies the suggested fix would be to update to CUPS 1.3.10.
2009-05-15:
The Red Hat Security Response Team informs (via vendor-sec) CUPS 1.1.17 is the oldest version they still ship and it is affected too. This issue will probably affect even earlier CUPS versions too.
2009-05-25:
The Debian Team informs (via vendor-sec) there is a bug in the PoC provided by Core. The advisory PoC is changed according to the comments made by Debian Team.
2009-05-28:
Core notifies that the advisory is going to be released on June 2nd, and requests a confirmation from Apple Security Team and vendor-sec subscribers.
2009-05-29:
Apple Security Team, Red Hat Security Response Team and Debian Team confirm the proposed release date. There was no request for embargo date shift posted to vendor-sec.
. 2009-06-02:
The advisory CORE-2009-0420 is published. [/quote]
(et encore, je retrouve pas les pires, certains, c’est plusieurs mois d’attente. Pour une multinationale … ca la fout mal…)
De toutes facons, hier c’etait le Patch Tuesday de chez crosoft. Avec combien de bug? 5? 6? J’ai pas regardé. 1 remote je crois. Les explications sont tres vagues, meme si ca c’est amelioré.
Et bien dés aujourd’hui les pirates font un diff des binaires pour comprendre la correction et en ressortir un exploit. C’est le “Exploit Wednesday”
De toutes facons, dans notre cher pays, c’est tout juste si on a le droit de parler de sécurité. Telecharger ou heberger ce type d’outil est je crois, illegal pour un particulier ne travaillant pas dans le domaine de la sécurité. Meme pour tester sa propre sécurité. Parfait pour les blackhats.