Cisco says that it disclosed the IOS vulnerability and issued a patch in April--that Lynn described only a new and different way to exploit the flaw. Regardless, the "heightened sense of public awareness"--as a Cisco spokesman described the Lynn kerfuffle--prodded the company to issue a more detailed security advisory late last month, explaining how IOS is vulnerable to denial-of-service attacks and possibly to a more dangerous remote exploit. Cisco also posted a list of the fixed versions of IOS that customers could adopt, as well as a work-around. Hopefully, Cisco shops are paying attention and Cisco learned something about the value of communicating openly with customers and the public.
But if Cisco was willing to come clean, why did it raise such a stink about Lynn's Black Hat presentation? Cisco and ISS maintain that Lynn's research was "premature" and that they planned to present a more developed version of it at a later security conference. We'll see.
For his part, Lynn says he felt compelled to report the IOS vulnerability before it was exploited in attacks on the Internet, though he maintains he never revealed details that would abet an attacker.