Product Flaws Leaked Online

An individual using the name Hack4life sent another internal CERT Coordination Center memo to an online discussion list Friday, detailing a product vulnerability that hadn't yet been disclosed, in what appears to have been the fourth such incident last week.

The leaked e-mail message, from Ian Finlay, an Internet systems security analyst at CERT, concerned a message from Microsoft to CERT regarding a vulnerability in Web redirectors, which forward a visitor from one Internet domain to another.

Microsoft is concerned that such sites are being used by organizations and individuals to disguise the source of spam e-mail, making it appear to come from legitimate sources, according to Finlay's message. In addition, the widespread exploitation of such redirection servers, which are calibrated to handle an expected volume of traffic, could constitute a denial-of-service attack against the organizations that use those servers, Finlay wrote.

Spreading the Word

In a note that preceded the leaked e-mail message, the individual responsible for posting the message apologized to the hacker community for the low severity level of the reported problem.

"Your mileage with this vulnerability may vary; some people will think it's irrelevant; some may be able to make use of it," Hack4life wrote. "CERT obviously thinks it's worth while, so I've take [sic] the choice out of their hands too and released it anyway," the note said.

The leaked e-mail message regarding the Web page redirect problem follows three similar posts, apparently from the same individual, on March 16. Those vulnerabilities concerned security problems being researched by CERT but that had not been disclosed to the public:

A buffer-overflow vulnerability in a software library used by many Unix and Linux operating systems and applications.

A technique for attacking and breaking encryption on Web servers that use SSL (Secure Sockets Layer).

Cryptographic vulnerabilities in the Kerberos Version 4 protocol that could allow an attacker to impersonate a user in a Kerberos realm and gain privileged access.

Shared Information

CERT believes that all of the leaks came from information shared with vendors.

"The particular text that he posted was taken directly from e-mail messages sent to the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT.

CERT customarily shares such information with vendors when it is developing vulnerability notices and alerts, Hernan said. The organization had narrowed its focus to "a fairly sizeable group" of those vendors with which CERT has long-standing relationships, Hernan said.

CERT encrypts correspondence about vulnerabilities when it sends that information to vendors. Each vendor maintains its own unique encryption key for deciphering and viewing the information after it is received.

To view information in the message, an intruder would have to defeat the PGP (Pretty Good Privacy) or SSL keys used to encrypt the comment, which Hernan said was "highly unlikely." If the messages were stored in decrypted form on a compromised e-mail server, an intruder could obtain the information that way as well, Hernan said.

Searching for the Source

The most likely scenario, however, was that the culprit was in a position to obtain the decrypted information, possibly as part of a development team assigned to evaluate or fix the problems, Hernan said.

Hernan discounted the possibility that a CERT employee leaked the information, saying that CERT insiders have access to more-sensitive issues that would be more-attractive targets for premature disclosure than the items published by Hack4life.

CERT is working with the software vendors that are most likely to be affected by the premature disclosures, and is taking other measures to respond to the leaks, Hernan said.

If the person responsible for the leak is a maverick employee of one of the vendors CERT is communicating with, however, it may be difficult to prevent future disclosures, Hernan said.

CERT would not comment on whether law enforcement officials had been contacted concerning the leaks, but the difficulty in determining the location of the person responsible for the leaks could complicate any criminal investigation, Hernan said.

Following Procedure

The organization, which is affiliated with Carnegie Mellon University in Pittsburgh, will continue to thoroughly research the leaked issues before publishing an alert.

"We feel there's a real benefit in making sure issues are properly scoped and researched before they are made public," Hernan said.

However, the premature disclosures changed the priority of those issues, Hernan said.

Hernan took aim at the person responsible for the leaks, saying that the author's tone in the posts to the discussion list was "petulant" and that he would have more respect for the author's opinions about disclosing product vulnerabilities if the person would give his or her name.

Publishing product vulnerabilities before a patch is available does not send a message about the benefits of full disclosure, but rather means that research on more-important vulnerabilities must be postponed so that vendors can address the leaked problems, Hernan said.

"I have no quarrel with the full disclosure community, but I do have a quarrel with the stupid disclosure community," Hernan said.