Should companies subscribe to exploit packs?
He described RealPlayer as a "very buggy piece of software," claiming the company has two more exploitable flaws in its pocket. "Our customers need to understand that RealPlayer is a real risk," Legerov argued.
Dave Aitel, founder and vulnerability researcher at Immunity, believes companies like RealNetworks should subscribe to commercial exploit packs. "It's a drop in the bucket for them," Aitel said, noting that access to exploits can take a lot of exploitable bugs off the table.
Immunity, like Gleg, ships exploits to paying subscribers in its CANVAS penetration testing platform and Aitel argues that software vendors should recognize the value of embracing third party research as part of the security development lifecycle. Immunity does not share its findings with affected vendors.
Over at Carnegie Mellon's CERT/CC, vulnerability analyst Chad Dougherty is worried that Gleg's silence will leave millions of computers users exposed to hacker attacks for a long time.
"We've seen this trend develop for a while, where vendors are at the mercy of hackers. In some cases, it gets the information flowing directly to the affected vendor but in cases like this, it's the end user who suffers," Dougherty said in an interview.
"For the situation to improve for end users, legitimate users of those commercial exploit kits need to start demanding that the companies that sell them allow users to interact with affected vendors. If you buy these exploit packs for a legitimate reason, you should be demanding some contractual or legal right to contact the affected vendor to get the issue fixed," he added.
Dougherty's unit has also tried in vain to get details on the RealNetworks issue from Gleg. "We'd like to see the issue get fixed. We don't get into the politics of disclosure. Our objective is to get the information flowing in a way that end users are protected."