And now the race has started with admins not being able to do anything. Anyone that knows of this vulnerability has enough time for a last hurray to exploit it as much as possible.
I suppose it's theoretically possible someone was hoarding this as a zero-day and may decide to more actively exploit it before it gets patched. Except of course that they don't know which precise vulnerability it is.
Also what I consider is that who has insider access and how does that information leak... This fix must be known at least some members of curl developers. Will they leak it or not? Or anyone who receive it early...
It most definitely does. You know it's going to be patched. You no longer have to tiptoe around to conceal the problem. This can be the difference between snooping a bit of data here and there and just straight up dumping the contents of entire servers.
Of course this depends on the vulnerability itself. But knowing a vulnerability will be patched can be hugely interesting and worthwhile information
I don't agree. As an admin I can cordon off systems which might be exploited until the fix is released. If there's nothing to exploit, how can you exploit it?
Sure you can. Do you think slack can? Google can just down their entire fleet? Servers are an essential part of the world functioning. Curl is such a foundational library it's almost sure to be used in a large of part of existing servers.