Secunia Broadcasts Zero-day Vulnerability via Email


Steve Ragan

SecurityWeek has learned that Secunia, a Danish vulnerability management firm, disclosed an unpatched vulnerability within an image viewing application used by organizations in both the private and the defense sectors to a public mailing list.

Now, thanks to an email error, a vulnerability once sheltered by a coordinated disclosure program has been exposed.

The disclosure was accidental. An email written by Secunia's Advisory Team Lead, Chaitanya Sharma, was supposed to be addressed to the 'vuln' address at Secunia. However, it looks as if the auto-filled address (likely caused by typing the letter "V" alone and hitting the Tab key) instead pointed the email to vim [at] - the Vulnerability Information Managers mailing list.

The publically posted email chain, which is part of Secunia's vulnerability disclosure program, centers on the work of James Fitts, who himself is a researcher that discovered a Stack-based Overflow in Intergraph's ERDAS ER Viewer application.

"The disclosure of the vulnerability was - exactly as you suggest - an error, and instead of cc'ing an internal Secunia email address, the researcher working on the case by accident cc'ed the mailing list," Morten Rinder Stengaard, Chief Technology Officer at Secunia told SecurityWeek in response to an email inquiry. "This is of course extremely unfortunate, and we are currently going through all procedures to ensure that it cannot happen again in the future."

main page ATTRITION feedback