Ira Winkler, president, Internet Security Advisors Group, said: “I simply don't believe in full disclosure. I realise that there are arguments on either side, but this case represents the best and worst about vulnerability disclosure.”
Winkler said he believed that the critical DNS flaw was already known to hackers before the researcher's discovery. “Some people obviously knew about this years before, certainly at a government-agency level. I've worked with the NSA, and yes, they are trying to hack software – we'd all be pretty disappointed if they weren't!”
The flaw enables hackers to 'poison' the DNS cache, allowing legitimate site requests from users to potentially be invisibly redirected to malicious sites. Security researcher Kaminsky discovered the flaw earlier this year and passed it onto vendors so they could patch the problem. However, a confidential briefing to other researchers was leaked, resulting in the availability of exploit code before the patch release date – timed to coincide with Kaminsky's Black Hat talk on the topic.
“It's always where public acknowledgment comes into it that things begin to go wrong”, continued Winkler, “if there is ego involved, then there will be an exploit produced. Somebody always wants the dubious glory of being the first to publish new exploit code.
“The thing you have to ask yourself whether security is about protecting systems, or making them more vulnerable”, he continued. “Security as a concept is never really achieveable. The dictionary definition is total freedom from risk, which is simply impossible. It's a question of assessing the risk in each individual situation.”