Researchers have pulled out of a presentation which was expected to reveal details of a major security vulnerability, citing concerns that hackers could exploit the flaw.
The last minute cancellation of a press conference at the Black Hat security event was because the flaw was so sensitive that even revealing the vendor affected could potentially cause hackers to start poking around with applications or operating systems to try to figure it out, said Jeff Moss, Black Hat's CEO.
The unnamed vendor has told the researchers that it could have a patch ready in a month or so, but it could take as long as four months, Moss said. There are fears that the problem could be as serious as the one in DNS revealed by Dan Kaminsky last year.
"Apparently, it's harder to patch and harder to fix so it's taking longer than they thought," Moss said.
Security researchers who present at Black Hat are encouraged to practice what's called "responsible disclosure," where the vendor is notified and allowed to create a patch before the vulnerability is publicly revealed. Moss said it's hopeful that the vendor and the researchers would be able to release a patch and the details at the same time.
It wouldn't be the first time Black Hat has been on the bleeding edge of vulnerability disclosure. This time at least there haven't been any legal threats from the vendor, Moss said.
In 2005, Michael Lynn, who worked for Internet Security Systems (ISS) at the time, had prepared a talk about how Cisco Systems' routers could be remotely compromised. Cisco and ISS ganged up to stop him.
Lynn changed his presentation and instead spoke about VoIP. After hearing boos from the crowd, he switched to his original topic. He didn't release attack code but instead provided proof it could be done.
Lynn had to quit his ISS job, and was sued by ISS and Cisco, but the lawsuit was eventually dropped after he agreed not to discuss its contents.
If the Black Hat organisers aren't bluffing and the vulnerability is as serious as Kaminsky's, it could mean that lots of companies are doing some secret patching.
Once exploit code is released for a vulnerability, it's game on for hackers, who will immediately try to find vulnerable computers or servers.
Kaminsky's research prompted an unprecedented, industry-wide effort to patch DNS servers, which are used by thousands of companies, ISPs and other entities running networks. Much of that work was done in secret so as to not tip off the bad guys.
The flaw showed that DNS servers were susceptible to an attack that could redirect Web surfers to fraudulent websites even if the URL was typed in correctly, among other scenarios.