Even Valve isn't perfect
Security researcher Auriemma Luigi (no plumber jokes, please) discovered several security vulnerabilities in Half-Life's server and contacted Valve hoping to get a fix. He waited three months without any fix from Valve. Fortunately for us, Mr. Luigi then decided enough was enough and released an unofficial patch to resolve the security problems. Suddenly, Valve releases a dedicated server patch for Windows and Linux! Did I mention it fixes the aforementioned security vulnerabilites?
This is a pretty common pattern with software companies lately, ignore the problem and hopefully it'll go away. Of course, they have good reason to practice this, after all it is working so well for companies such as Microsoft, why not ignore thier customer's safety? I'd really like to hear the reasoning behind this, why were the patches held until he went public? Why not fix this before it gets out, assuming it hadn't already gotten out?
Of course I can't really blame Valve, from a glance at the headlines around the net only Slashdot has picked it up. To everyone else it's "New patch, get it here", no mention of the remote command and DoS exploits it fixes. Apathy really is the best security.