Releasing zero-day exploits to sell a product?

As companies are still picking up the pieces from the Zotob worm and its malicious siblings, a French information security company that sells early exploit warning services has released a zero-day exploit that attacks all versions of Microsoft Internet Explorer.  The same company also released exploit code for the Windows PNP (Plug and Play) vulnerability less than 24 hours after Microsoft released a fix which led to the birth of the Zotob worm 5 days later.

As companies are still picking up the pieces from the Zotob worm and its malicious siblings, a French information security company that sells early exploit warning services has released a zero-day exploit that attacks all versions of Microsoft Internet Explorer.  The same company also released exploit code for the Windows PNP (Plug and Play) vulnerability less than 24 hours after Microsoft released a fix which led to the birth of the Zotob worm 5 days later.  Many companies running Windows 2000 were not prepared to patch their systems on such short notice and they were hit the hardest.  The release of this new exploit is even more alarming since it affects all instances of Internet Explorer and Microsoft has not had a chance to release a patch for this exploit.

Microsoft responded by issuing an emergency security advisory which offers some temporary workarounds to the issue.  Since the instructions are a little confusing for the average user, I wrote this explanation and some scripts to automate the Microsoft workaround and SANS wrote their own set of utilities for automating this temporary fix the same day.  I would highly recommend that everyone apply the temporary workaround since the exploit code is out in the wild.

Last month when Cisco sued Michael Lynn for simply talking about a Cisco vulnerability that was supposedly already patched by Cisco, I defended Lynn because Cisco had plenty of fair warning and Lynn wasn't releasing any actual exploit code.  This case is the exact opposite because a company is releasing the actual exploit code without giving the software maker any time to issue a fix and they're doing it in a way to benefit their own business which borders on a "protection" racket.  Since the company is located in France, legal challenges are a bit tricky.  It's mind boggling that this sort of thing is even allowed in a civilized world governed by the rule of law.