Exploits and vulnerabilities in commercially available
software products are addressed in a cycle of trial and error that is common to
the software industry. Errors are often discovered and disclosed by independent
research firms and then reported back to the original product vendor for
patching. This cycle of testing and correction usually leads to the repair of
exploitations used by hackers and cyber criminals to conduct identity theft, identity fraud,
and illicit business online. However, according to Brian Krebs of krebsonsecurity.com,
one research firm has announced that it has lost patience with the vendors it
has been servicing and will release its database of undocumented software
exploits to the public between now and February 1.
The announcement was made by Evgeny Legerov of Russian
research firm Intevydis, following a
statement of frustration toward the general software vendor community. And,
while the move brings up many points of business ethics for debate, the fact remains
that following Intevydis’ release of the exploit pack, major Web servers,
databases, and directory servers in use by businesses worldwide will suddenly
be exposed to attack by cyber criminals.
While vendors will presumably rush to patch and correct the exploits
revealed by Intevydis’ revelation, businesses can take security into their own
hands by making sure their security protocols are thorough and up to date.