[burlyscudd]

In addition to giving security professionals tools to see how vulnerable their infrastructure is to real-world attacks, releasing exploits like this actually creates significant pressure for vendors to patch vulnerable software.

Take the recent Java 1.7 vuln (3 weeks or so ago). Oracle released a patch 4 days after that exploit was rolled into Metasploit. I'm sure they'll tell you that's a coincidence, but it's still nice to see happen completely out-of-band from their normal patch process. Word around the campfire is that Oracle knew of that vuln for months w/out a patch. Then along comes big bad Metasploit and you've got a patch for everyone on Java 1.7. I call that a win.

[Zenst]

Oh your dead right, but security profesionals have access to less public sources of tools and testing abilities, just don't have to be so easily accessable for those who could perhaps fail at unpacking a tar file.

As for embarassing the vendor and highlighting there sloppyness, well there may be some millage in that. Though you would of thought vendors were a little bit more proactive.

Still it's out there now and in that evolution is a wonderous thing to behold at work, some will learn and some will not.