Leaked Bug Alerts Cause a Stir

By Brian McWilliams

March 19, 2003


Riley Hassell was bewildered this week when details from a confidential bug report he had written mysteriously showed up on a popular security mailing list.

Hassell, a security researcher for eEye Digital Security, had explained in writing a flaw he discovered in widely used Internet software from Sun Microsystems. The problem was so severe that Hassell had agreed to keep his advisory secret for several weeks until Sun and other vendors could create fixes for the affected applications.

But an anonymous person using the e-mail account Hack4life@hushmail.com apparently thought the information shouldn't be kept under wraps.

On Sunday, Hack4life posted an advisory containing the bug's specifics to the Full-Disclosure security mailing list. Hack4life also posted a warning about a separate security flaw discovered by researchers at MIT that wasn't supposed to be published until June.

Hack4life apparently intercepted both documents from the Computer Emergency Response Team, a federally funded security information clearinghouse. CERT officials confirmed this week that CERT had been working with eEye and MIT researchers to coordinate the release of the advisories. According to CERT, intruders may have hacked into systems operated by any of the dozens of affected vendors who received advance copies of the advisories.


CERT also gives an advance warning about flaws to members of the Internet Security Alliance, an information-sharing consortium. ISA members pay a fee to CERT to receive early notification of vulnerability information.

[Shawn Hernan simply can't be that naive .. can he? These pre-warnings go to vendors AND members of the ISA, a vulnerability cartel (aka information-sharing consortium). Yet he suggests that the vendors notified look at their systems for compromise? It had to occur to him that one of the vulnerability cartel members has an insecure system or upstream that allowed this comropmise.]
[But hey, they are paying customers, can't shine any negative light on them right? That's what they are paying for.]

In January, Mark Litchfield, a security researcher with NGS Software, threatened to boycott CERT after learning that information his company confidentially provided to the clearinghouse was distributed first to ISA, and only weeks later to the general public.

[How many times has this happened? When is this *federally funded* group going to be held accountable for their actions? Our tax dollars are funding them to put this information in the hands of people paying them money, and not in my hands in a timely fashion.]

In an e-mail interview, Litchfield said he was not aware of the weekend CERT leaks. But he didn't seem surprised that the group could be vulnerable to occasional security glitches.


Also among the CERT reports posted without authorization was a third advisory based on an article about attacks on the OpenSSL Internet security standard published by researchers at Stanford University earlier this month.

In a posting to the list Monday, Rose said he refused Yu's request, because such a move would violate the editorial integrity of the list's archives. Yu was not immediately available for comment.

[That and the post would pop up on a dozen web sites within minutes of it being pulled down. Does Yu forget this is a mailing list and copies of the posts get distributed to thousands of people?]

CERT representatives declined to say when the organization planned to release official versions of the leaked advisories.

main page ATTRITION feedback