https://www.reuters.com/article/us-cyber-attack-samba-idUSKBN18L0GD



A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday.

The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch.

Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced.
But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said.

Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers. There are likely to be many more, it said in response to emailed questions.

Most of the computers found are running older versions of the software and cannot be patched, said Brown.

So, riddle me this Batman. If "they" discover a flaw in a widely used software program, why not quietly behind the scenes make the necessary fix instead of planting a bright neon surveyors flag on it and announce it to the world? Is it just me or does that seem counter-intuitive? As simply an end user, I wonder is it really that hard to write code that is a bit more robust? Or is it the rush to sales that drives the production of software?

It all seems very phishy to me...and now on a Linux system no less

Researchers will usually disclose a vulnerability to the affected software owners/developers long before making a public announcement. That's typically a "last resort" measure in an attempt to force the development and release of a fix.

Samba over the Internet? Someone's got themselves a much bigger security problem than a flaw in the module itself.

Well, I guess they sort of have to publicize it to push individual users and systems admins to get on the ball and keep their software up to date. Case and point, my system checks for updated versions of it's software daily so that I can keep it up to date with the latest versions of all my installed software. That way there are no lapses and I have the latest bugfixes and vulnerabilities fixed. Surprisingly many systems admins don't seem to keep things updated as they should,

...Surprisingly many systems admins don't seem to keep things updated as they should,
...because certain dependencies on installed components exist, and alteration of said components can break the overlying application.

This isn't as cut-and-dried as it seems, and a portion of that blame lies at the feet of those who utilize custom API functionality instead of coding to and with industry standard constructs.

So, riddle me this Batman. If "they" discover a flaw in a widely used software program, why not quietly behind the scenes make the necessary fix instead of planting a bright neon surveyors flag on it and announce it to the world? Is it just me or does that seem counter-intuitive? As simply an end user, I wonder is it really that hard to write code that is a bit more robust? Or is it the rush to sales that drives the production of software?

It all seems very phishy to me...and now on a Linux system no less

They generally do. When the news comes out, the fixes are being distributed by the vendor's update system.

As for why not write more robust code? Yep. We should. Is it harder? Yes. Does it save money shaving corners? Yes.

Really, I don't pass any code review that I cannot understand, even if via commenting. And, I refuse to accept code that doesn't validate and sanitize inputs too. But, I'm a minority, and since most of mine is system code, I don't have much impact.

Well, I guess they sort of have to publicize it to push individual users and systems admins to get on the ball and keep their software up to date. Case and point, my system checks for updated versions of it's software daily so that I can keep it up to date with the latest versions of all my installed software. That way there are no lapses and I have the latest bugfixes and vulnerabilities fixed. Surprisingly many systems admins don't seem to keep things updated as they should,

Now, try doing that without impacting 1-3 thousands interacting components, on distributed servers.

Therein lies the problem: Orchestration.