It has come to my attention that my recent post on the ‘late response from Triangle MicroWorks’ may have been based upon incomplete information.
First off I have been informed that there were earlier direct communications from TMW to their customers long before their most recent post about the ICS-CERT vulnerability on their web site. These communications were not made via their web site; that would not be surprising, particularly if they were made before the publication of the ICS-CERT advisory. That would, in fact, be something that ICS-CERT would encourage; allowing the customers a chance to take corrective actions before the vulnerability became public. That is the whole point of the coordinated disclosure process
Second, I have been told that there were earlier versions of the post that I talked about on the web site, but they were recently removed in a house cleaning action that all web sites periodically undergo. Since I don’t routinely check most vendor web sites (other than when an advisory is issued) I would normally not become aware of such posts.
I became aware of the most recent TMW post because of a social media mention. I based my blog response on the wording of the TMW statements in the post and the fact that there is no other mention of the vulnerability on their web site. It appears that that may not have been an adequate basis for making the judgment that I made.
If I misinterpreted the situation, I apologize to the management, staff and customers of TMW and would be more than willing to provide them space on my blog to fully correct my miss-interpretation of the situation.