Screaming Penguin - Source Does Matter

Digital Defense found a problem with Samba. Then they sent a draft of the exploit to Samba last Saturday, then on Monday they posted news of the vulnerability along with code to exploit it to the world.

Apparently a big feud ensued in which the Samba guys were furious at Digital River. The release was premature and it contained code for the exploit, those are the issues that "outraged" the Samba folks.

Then Digital River responded with a flurry of apologies and stated that management was not aware of the release. The release was basically not authorized so they say.

Honestly, I dont fault Digital River for making the issue public ASAP. However, it was poor judgment to include code that code execute the exploit with the news of the exploit.

Making the world aware a problem exists is good, regardless of the timing and whatever the authors of the software think (I know thats a point of contention for many, but IMHO, being aware of the problem even before it is fixed is important, for example you could disable a certain program until a fix was available if you knew it had vulnerabilities, etc). However publishing that an exploit exists and providing some details is different than actually providing code to take over affected machines, thats a bad idea.

All in all I think the Digital Defense folks made a mistake in releasing code to perform the exploit, but their timing was not outrageous like the Samba team asserts. Get over it, if the software has monumental holes as it did in this case, the world needs to be aware ASAP whether or not its Microsoft or open source such as Samba.

For more see the linked news.com article.

  Security firm regrets Samba disclosure: news.com