Even Valve isn't perfect

Security researcher Auriemma Luigi (no plumber jokes, please) discovered several security vulnerabilities in Half-Life's server and contacted Valve hoping to get a fix. He waited three months without any fix from Valve. Fortunately for us, Mr. Luigi then decided enough was enough and released an unofficial patch to resolve the security problems. Suddenly, Valve releases a dedicated server patch for Windows and Linux! Did I mention it fixes the aforementioned security vulnerabilites?

This is a pretty common pattern with software companies lately, ignore the problem and hopefully it'll go away. Of course, they have good reason to practice this, after all it is working so well for companies such as Microsoft, why not ignore thier customer's safety? I'd really like to hear the reasoning behind this, why were the patches held until he went public? Why not fix this before it gets out, assuming it hadn't already gotten out?

Of course I can't really blame Valve, from a glance at the headlines around the net only Slashdot has picked it up. To everyone else it's "New patch, get it here", no mention of the remote command and DoS exploits it fixes. Apathy really is the best security.


Kinda reminds me of the Unreal engine exploit as Epic kinda goofed at first and failed to address the problem for a while though being notified. I found the public outcry after that somewhat amusing though as I'm tempted to think that at least 50% of the players to complain ran/run games on unpatched operating systems (and without Firewall or something like that.) Still, companies should take care faster/better, of course.