Apparently researchers at the (apparently Swedish) security company Outpost24 found a vulnerability in the TCP stack, The Register reports:

“If you use the Internet and you serve a TCP-based service that you value the availability for, then this affects you,” Robert E. Lee, chief security officer for Sweden-based Outpost24… “That may not be every Internet user, but that’s certainly any IT manager, that’s certainly any website operator, mail server operator, or router operator.”[1]

Apparently Outpost24 found the vulnerability on 2005, keeping it a secret because they wanted to find a fix to it. Apparently they couldn’t find a fix, so now they are politely asking for help. This action by Outpost24 intrigues me, on they state of mind when finding it. What was there reaction and still wonder…

Now I ask, is this a good practice, to wait 3 years to disclose a mayor vulnerability? Should reseraches be paid for this? Do you have the right to do what ever you want with a vulnerability you find? This questions has been discussed before and will be discussed for a long time.

Last question: Is this a way of saying we don’t trust the security community or we want all the credit. Who knows, but what I know is that there was, a couple of months a go, another “major” vulnerability, that time on the DNS. (for a refresh read it here), and the Internet is still running and we can still chat, log into facebook, watch videos and download torrents. It will be interesting to think what will the world without secure Internet.

You can listen to the podcast of Outpost24′s Senior Security Researcher, Jack C. Louis here.

In another security news apparently there was a major cross scripting exploit found in major sites like YouTube, MetaFilter, New York Times and ING Direct site (which is Financial Service Company).

[1]Full article of the register here.