Symantec gets poked in the eEye

eEye has found a pretty serious vulnerability in Symantec's AV software. You've probably already read about it (Stiennon covered it - http://blogs.zdnet.com/threatchaos/?p=334 and here is the AP link). The fact that the vulnerability exists is not what's interesting.

It's that eEye has disclosed that it found the vulnerability this week, notified Symantec and is not telling anyone any specifics until the patch is released. It kind of turns the public relations aspect of vulnerability hunting on its ear.

Clearly not satisfied with getting credit at the bottom of the security alert, eEye disclosed the vulnerability to get full credit now and also to make the public point that their host intrusion protection product protects against the flaw. That leads me to believe that most HIPS products will stop the attack.

Of course, this attack is already a non-issue because once Symantec patches the hole, the updates will be automagically distributed to all of the vulnerable software. So everyone is getting worked up about an exposure that will be patched before any real details come to light. 

I'm not sure I'm cool with this "I found something but I'm not telling you about it" approach. It is clearly better than fully and publicly disclosing the issue (and how to exploit it) with no warning. Since this is a PR strategy for eEye, they couldn't have waited until the patch was out,  then their ability to say that their HIPS product stops the attack is gone.

So I guess we'll need to get used to this. Vulnerabilities will be found and sort of disclosed, but without enough information to cause damage. And PR folks will stay very busy working the media up into a frenzy for an attack that will never amount to anything.