Zeroday 01100100011010010

This was a very intensely discussed topic when I worked at Symantec. The company I worked for originally (@stake) was known for releasing security advisories. It was a large part of the PR machine and a staple for most network security firms. Symantec wasn’t sure how to deal with this and through the very diligent work of a few employees it seems the process is back. The advisories seem a little anemic to me but something is better then nothing.
What is missing of course is actual details of how to exploit the flaw. There are several reasons why this information isn’t available and will never be available from Symantec. First is the OIS which Symantec is a member of. This body forbids the “irresponsible” disclosure of vulnerability details. This position is debatable. Common practice these days allows a smart reverse engineer the ability to pick apart the patch itself and obtain whatever details that are relevant. There are cases where obscuring this information works and also cases where it hinders safety.
Second is the nature of the firm. Symantec is a large company and has very deep pockets. So putting out exploit code would expose the company to legal action. Whether or not prosecution would ever succeed is irrelevant. The “transaction cost” alone for someone of Symantec’s size would insure that PR and Legal would gang up to enforce a no disclosure rule. I would wager both teams, at the very least the latter, were against this move. The rumor mill states that these teams were the ones who killed off the L0phtcrack password auditing software line (LC5) and the incredible WebProxy software. The latter likely died from it’s inability to generate 100M in revenue per year which is the magic number for Symantec.