The company came under fire from the Samba team after they released the code with their advisory about the vulnerability. It allowed anyone who downloaded it to completely compromise any Samba-based system.
The Samba team was furious, and after tense discussions the company involved, Digital Defense, published an apology for the foul-up. They claim management were not aware the security team was planning to release the exploit.
"[The code] did not have Digital Defense management approval and included exploit code that was not authorised for external distribution," it said. "Digital Defense has taken aggressive procedural and policy measures to reduce the likelihood of a similar recurrence".
One of the employees responsible for publishing the code, Erik Parker, spoke to ZDNet Australia by phone from Texas. He was upfront in accepting responsibility for the incident.
"We posted the statement, but the management here did not authorise the release of the exploit. That was done by a couple of analysts - myself included," he said. "[The disclosure process] was perfect from day one up until the advisory was released and then it was shocking to them [Samba], and rightly so".
He attributed his decision to publish the code, in part, to the vulnerability already being exploited by black-hat (bad-guy) hackers in the wild.
"It's not like we were dropping a bombshell... but it definitely wasn't a good idea. The exploit should not have been released at the time that it was," he told ZDNet Australia.
Samba itself is typically not used at network borders - its functionality emulates that of Microsoft based file servers, which aren't normally connected to the outside world. This is another reason the risk to the Internet community was deemed to be low, Parker said.
The author of the software and joint head of the Samba team, Canberra-based Andrew Tridgell, was outraged.
"It was unnecessary. They also hadn't told us that they were going to do this. They sent us a draft advisory on Saturday for our approval [without the exploit], then they released the exploit with the advisory [on Monday]," he told ZDNet Australia.
"Their exploit was released about an hour before the announcement on samba.org," he added.
One of the biggest problems with the exploit that was released by the company is that it was fully functional, and not simply "proof of concept" code used for testing purposes, according to AusCERT security analyst Jamie Gillespie.
"Exploit code released by a security organisation is typically just proof of concept... this was a remote root shell. It was the full deal," he said.
One possible cause for the premature publication of the exploit is the assumption that because running Samba on the Internet is typically a bad idea no one actually does, says Gillespie.
"Whatever industry people are in, they only view the Internet from their perspective," he said.
Their site has been down for the past 24 hours.
"Doh".
Never heard of this company before (Rookies??).
Should change their name to DisturbingDisclosure.
Better luck next time.