Wednesday, February 15, 2006

A timeframe on the purchased/sold WMF vulnerability

The WMF vulnerability and how it got purchased/sold for $4000 was a major event during January, at least for me as for quite some time the industry was in the twilight zone by not going through a recently released report. But does this fact matters next to figuring out how to safeguard the security of your network/PC given the time it took the vendor to first, realize that it's real, than to actually patch it? Something else that made me an impression is that compared to the media articles and my post, was I the only one interested in who bought, instead of who sold it?

So here's a short timeframe on how it made it to to the mainstream media :
January 27 - Kaspersky are the first to mention the "purchase" in their research
January 30 I've started blowing the whistle and friends picked it up (even the guy that got so upset about it!)
January 31 Meanwhile, someone eventually breached AMD's forums and started infecting its visitors!
February 2 Microsoft Switzerland's Security blog featured it
February 2 LinuxSecurity.com republished it
February 2 DSLReports.com picked it up
February 2 Appeared at Slashdot
February 3 OSIS.gov(an unclassified network serving the intelligence community with open source intelligence) picked it up :)

What's the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky's team for their research? For sure, but keep an eye on the Blogosphere as well!

Technorati tags :