The recent telnetd vuln brings two things to mind.
First, as a QA guy myself, I imagine there’s some QA person at Sun saying “D’oh!”.
Second, it makes me think of the full-disclosure argument.
(Wait, doesn’t everything make you think of the full-disclosure argument? Moving on…)
For the sake of discussion, assume you’re against disclosing unpatched vulnerabilities under any circumstances. In this case, we have a fine example of how this might work. You have a perfect opportunity to keep things from yourself. Delete all the emails, blog posts, and news articles that might inform you about the problem. Ignore any IDS signatures and third-party patches. Ignore the fact that absolutely no exploit code is needed, and that any script kid, no matter how unskilled, can pull this hack off.
Don’t disable telnetd on your Solaris 10 machine. Wait for Sun to tell you there’s a patch.
That’s one extreme end of the disclosure debate spectrum. You can refuse to participate in the disclosure game on a personal level.
I can’t stop you.